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Introduction 

Report  of  the  Auditor  General  of  Alberta — October  2010 


Message  from  the  Auditor  General 


Breadth  of  our  work 

—  This  second  of  our  public  reports  in  2010,  the  first  being  in  April,  describes  the  work  of  the  Office  by 
~  including  the  recommendations  we  make  to  government  departments  and  agencies. 

^  However,  making  recommendations  designed  to  help  organizations  improve  their  management  of 

—  public  resources  is  only  a  part  of  what  we  do.  The  chapter  of  this  report  called  "Government  of  Alberta 
and  Ministry  Annual  Reports"  (page  1 03)  states  that  we  issued  unqualified  auditor's  opinions  on  Alberta's 

—  consolidated  financial  statements,  24  ministry  financial  statements,  including  their  agencies,  and  selected 
_  performance  measures  in  Measuring  Up.  We  also  state  we  were  able  to  issue  23  unqualified  reports  from 

engagements  to  review  selected  performance  measures  in  ministry  annual  reports. 

~  Providing  assurance  on  government  and  agency  performance  reports  is  a  vital  part  of  our  work  for 

—  Albertans.  It  takes  many  hours  and  dollars  to  do  but  often  goes  unrecognized  when  competing  for  space 
in  reports  filled  with  recommendations. 

~  Focus  of  our  work 

"~  In  the  past  few  years,  our  public  reports  have  contained  a  considerable  volume  of  new  recommendations 

—  for  improvements  or  changes  to  government  systems.  As  well,  a  large  number  of  recommendations 
relating  to  financial  or  management  control  systems  are  made  annually  from  the  work  we  perform  during 
our  financial  statement  audits. 

The  inevitable  consequence  of  this  volume  of  past  recommendations  is  that  we  are  re-balancing 
^  our  work  plans  to  do  an  increasing  number  of  follow-up  audits.  The  follow-up  audit  confirms  that 

sustainable  change  has  taken  place.  It  is  the  payback  on  the  investment  of  audit  dollars  in  producing  a 
recommendation.  And  it  is  worth  noting  that  the  audit  effort  needed  to  confirm  that  a  recommendation  has 


been  sustainably  implemented  is  not  superficial.  We  approach  follow-up  audits  with  the  rigor  Albertans 
expect  from  this  Office,  and  will  repeat  our  recommendations  when  managers  have  not  satisfactorily 
implemented  them. 

Generally,  we  try  to  complete  follow-up  audits  within  three  years.  Depending  on  the  nature  of  the  risks, 
~)  though,  swifter  implementation  and  follow-up  may  be  required.  Currently,  management  has  advised  us 

^  that  about  25%  of  our  278  outstanding  recommendations  have  been  implemented,  but  we  have  not  yet 

performed  the  follow-up  work  necessary  to  confirm  this. 

~)  Report  Highlights 

~)  Ideally,  our  follow-up  audits  should  be  good  news  stories — recommendations  have  been  successfully 

^  implemented.  And  that  is  the  case  with  most  of  the  follow-up  work  included  in  this  report.  For  example, 

ATB's  new  project  governance  and  management  processes  have  improved  control  over  its  new  banking 
system  implementation  (page  61 ).  Also,  we  found  that  systems  are  in  place  for  management  to  determine 

~)  that  the  terms  and  conditions  of  the  Infrastructure  Stimulus  Fund  Agreement  between  the  governments  of 

^  Canada  and  Alberta  are  being  followed  (page  15). 

On  the  other  hand,  our  follow-up  work  at  the  University  of  Calgary  on  research  management  resulted 
in  us  having  to  repeat  four  recommendations  even  though  in  the  past  two  years  the  University  has 
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made  positive  changes  in  its  decentralized  control  environment  (page  43).  We  have  also  repeated  a 
recommendation  to  Service  Alberta,  since  it  cannot  yet  demonstrate  there  are  effective  controls  to  ensure 
all  government  web  applications  consistently  meet  all  security  standards  (page  189)  And.  we  repeated  two 
recommendations  to  the  Department  of  Treasury  Board  on  Alberta's  infrastructure.  The  Department  still 
needs  to  determine  how  best  to  maintain  existing  infrastructure  over  its  life,  and  it  needs  to  develop  a 
plan,  with  timelines  and  targets,  to  reduce  the  deferred  maintenance. 

There  are  two  new  recommendations  that  we  view  as  key  to  the  success  of  Alberta  Health  Services 
Firstly,  we  recommend  (no.  19-page  164)  AHS  prepare  and  implement  a  formal  transition  plan  for  its 
finance  operations.  We  found  material  errors  in  the  financial  reporting  system,  unachieved  processing 
efficiencies  and  significant  strain  on  its  finance  staff.  Secondly,  we  recommend  AHS  ensure  proper 
funding  agreements  for  its  capital  projects  (no.  20-page  1 66).  Without  proper  contractual  arrangements,  the 
AHS  capital  plan  is  jeopardized,  unfilled  expectations  may  lead  to  difficult  and  costly  resolution,  and  there 
is  greater  risk  of  cost  escalation  that  would  be  borne  by  taxpayers. 

Acknowledgement  and  thanks 

In  closing,  I  thank  Members  of  the  Legislative  Assembly,  in  particular  members  of  the  Standing  Committee 
on  Public  Accounts,  who  help  us  to  identify  issues  that  are  important  to  them  as  legislators.  I  also  thank 
Members  of  the  Provincial  Audit  Committee,  comprised  of  senior  business  executives  with  financial, 
business  and  governance  skills,  who  serve  as  wise  counsel  to  our  Office. 

I  express  our  appreciation  to  management  and  staff  of  the  organizations  that  we  audit.  Without  their 
assistance  and  cooperation,  we  would  not  be  able  to  effectively  fulfill  our  role. 


Finally,  I  acknowledge  and  thank  my  staff.  This  report  evidences  their  thoughtful  and  diligent  work  in 
and  follow-up  audits,  and  in  providing  assurance  to  Albertans  on  the  governments  performance  reporting. 


new 


Merwan  N  Saher,  CA 
Auditor  General 


October  15,  2010 
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Recommendation  Highlights 


This  report  contains  41  recommendations,  all  listed,  starting  at  page  7.  Of  the  41  recommendations, 
30  are  new.  The  other  11  repeat  recommendations  on  which  implementation  progress  was  too  slow.  We 
have  numbered  24  recommendations  that  need  a  formal  response  from  the  government. 

Prioritizing  our  recommendations 

As  part  of  the  audit  process,  we  provide  recommendations  to  government  in  documents  called 
management  letters.  We  use  public  reporting  to  bring  our  recommendations  to  the  attention  of  Members 
of  the  Legislative  Assembly  (MLAs).  For  example,  members  of  the  all-party  Standing  Committee  on  Public 
Accounts  refer  to  the  recommendations  in  our  public  reports  during  their  meetings  with  representatives  of 
government  departments  and  agencies. 

To  help  MLAs,  we  prioritize  recommendations  in  our  public  reports  to  indicate  where  we  believe  they 
should  focus  their  attention.  We  categorize  them  as  follows: 

Key  recommendations — These  are  the  numbered  recommendations  we  believe  are  the  most 

significant. 

•  Numbered  recommendations — These  recommendations  require  a  formal  response  from  the 
government.  By  implementing  these  recommendations,  the  government  will  significantly  improve  the 
safety  and  welfare  of  Albertans,  the  security  and  use  of  the  province's  resources,  or  the  governance 
and  ethics  with  which  government  operations  are  managed. 

Unnumbered  recommendations — These  recommendations,  although  important,  do  not  require  a 
formal  response  from  government. 

Reporting  the  status  of  recommendations 

We  follow-up  all  recommendations  and  report  their  status  in  our  public  reports.  The  timing  of  our 
follow-up  audits  depends  on  the  nature  of  our  recommendations.  To  encourage  timely  implementation, 
and  assist  with  the  timing  of  our  follow-up  audits,  we  require  a  reasonable  implementation  timeline  on 
all  recommendations  accepted  by  the  government  or  the  entities  we  audit  that  report  to  the  government. 
We  recognize  some  recommendations  will  take  longer  to  fully  implement  than  others,  but  we  encourage 
full  implementation  within  three  years.  Typically,  we  do  not  report  on  the  progress  of  an  outstanding 
recommendation  until  management  has  had  sufficient  time  to  implement  the  recommendation  and  we 
have  completed  our  follow-up  audit  work.  We  repeat  a  recommendation  if  we  find  that  the  implementation 
progress  has  been  too  slow. 

We  report  the  status  of  our  recommendations  as: 

Implemented — We  briefly  explain  how  the  government  or  provincial  agency  implemented  the 
recommendation. 

•  Repeated — We  explain  why  we  are  repeating  the  recommendation  and  what  the  government  must 
still  do  to  implement  it. 

Progress  report — Although  not  fully  implemented,  we  provide  information  when  we  consider  it  useful 
for  MLAs  to  understand  management's  actions. 

Satisfactory  progress  report — We  may  want  to  state  that  progress  is  satisfactory  based  on  the  results 
of  a  follow-up  audit. 

•  Changed  circumstances — If  the  recommendation  is  no  longer  valid,  we  briefly  explain  why  and 
remove  the  recommendation  from  our  outstanding  recommendation  list. 

Report  of  the  Auditor  General  of  Alberta  


October  2010 


Outstanding  recommendations 

We  have  a  chapter  called  Past  Recommendations — see  page  203.  It  provides  a  complete  list  of  the 
recommendations  that  are  not  yet  implemented.  Although  management  may  consider  some  of  these 
recommendations  implemented,  we  do  not  remove  recommendations  from  the  list  until  we  have  been 
able  to  complete  follow-up  audit  work  to  confirm  implementation. 
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9—1 — Key  and  numbered  recommendation 
Green  print — Numbered  recommendation 
Black  print — Unnumbered  recommendation 


Systems  Audits — New 


Advanced  Education  and  Technology — IT  Governance,  Strategic 
Planning  and  Project  Management 

Page  21    Athabasca  University — Improve  governance  and  oversight  of  information  technology — 
Recommendation  No.  1 

We  recommend  that  Athabasca  University  continue  to  improve  its  IT  governance  by: 

developing  an  integrated  IT  delivery  plan  that  aligns  with  the  University's  IT  strategic  plan 
requiring  business  cases  for  IT  projects  that  include  key  project  information  such  as  objectives, 
costs-benefit  assessments,  risks  and  resource  requirements  to  support  the  steering 
committees'  and  executive  committee's  decisions  and  ongoing  project  oversight 
improving  the  coordination  and  communication  between  the  IT  steering  committees  in 
reviewing,  approving  and  overseeing  projects 

Page  24  Athabasca  University — Improve  portfolio  and  project  management  processes — 
Recommendation  No.  2 

We  recommend  that  Athabasca  University  continue  to  improve  its  portfolio  management  and  project 

management  processes  for  IT  projects  by: 

clarifying  and  communicating  the  mandate  and  authority  of  the  project  management  office 
setting  project  management  and  architectural  standards,  processes  and  methodologies,  and 
training  project  managers  on  these 

monitoring  and  enforcing  project  managers'  adherence  to  these  standards,  processes  and 
methodologies 

tracking  and  managing  project  dependencies  on  scope,  risks,  budgets  and  resource 
requirements 

Page  25  Athabasca  University — Formalize  IT  project  performance  monitoring  and  reporting — 
Recommendation 

We  recommend  that  Athabasca  University  formalize  and  improve  its  monitoring  and  oversight  of 
information  technology  projects  by: 

improving  its  systems  to  quantify  and  record  internal  project  costs 

providing  relevant  and  sufficient  project  status  information  to  the  IT  steering  and  executive 
committees,  and  summarized  project  information  to  the  Athabasca  University  Governing 
Council  Audit  Committee 

completing  post-implementation  reviews  on  projects  to  verify  that  expected  objectives  and 
benefits  were  met  and  identify  possible  improvements  to  IT  governance,  strategic  planning  and 
project  management  processes 

Page  27  Athabasca  University — Resolve  inefficiencies  in  financial,  human  resources  and  payroll 
systems — Recommendation 

We  recommend  that  Athabasca  University  complete  its  plans  to  resolve  the  inefficiencies  in  its 
financial,  human  resources  and  payroll  systems. 

Children  and  Youth  Services — Daycare  and  Day  Home  Regulatory 

Compliance  Monitoring 

Page  37  Department — Documentation  and  training — Recommendation 

We  recommend  that  the  Department  of  Children  and  Youth  Services,  working  with  the  Child  and 
Family  Services  Authorities,  review  documentation  and  training  requirements  for  monitoring  licensed 
and  approved  programs  to  ensure  requirements  are  being  met. 
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Page  38  Child  and  Family  Services  Authorities — Improve  consistency  of  monitoring — 
Recommendation 

We  recommend  that  Child  and  Family  Services  Authorities  improve  systems  to  ensure  their 
consistent  compliance  with  monitoring  and  enforcement  policies  and  processes. 


Page  39  Child  and  Family  Services  Authorities — Improve  follow-up  processes — 
Recommendation  No.  3 

We  recommend  that  Child  and  Family  Services  Authorities  improve  systems  for  monitoring  and 
enforcing  child  care  program  compliance  with  statutory  requirements  and  standards  by  ensuring 
that  all  verbal  warnings  are  adequately  documented  and  resolved. 


Systems  Audits — Follow-up 


Advanced  Education  and  Technology — University  of  Calgary — 
Research  Management 

Page  46  University  of  Calgary — Improve  human  resource  plans  and  system  for  cost  planning 
quantify  and  budget  for  indirect  costs — Recommendation  No.  4 — Repeated 

We  again  recommend  that  the  University  of  Calgary  improve  its  human  resources  plans  and 
develop  a  system  to  quantify  and  budget  for  the  indirect  costs  of  research. 

Page  48  University  of  Calgary — Define  research  management  roles  and  responsibilities — 
Recommendation  No.  5 — Repeated 

We  again  recommend  that  the  University  of  Calgary  define  research  management  roles  and 
responsibilities. 

Page  50   University  of  Calgary — Maintain  current  and  comprehensive  research  policies — 
Recommendation  No.  6 — Repeated 

We  again  recommend  that  the  University  of  Calgary  ensure  all  research  policies  are  current 
and  comprehensive.  Specifically,  the  policies  should  identify  who  is  responsible  for  monitoring 
compliance. 

Page  52  University  of  Calgary — Use  project  management  tools  for  large,  complex  projects — 
Recommendation — Repeated 

We  again  recommend  that  the  University  of  Calgary  and  its  faculties  use  project  management  tools 
for  large,  complex  projects  to  ensure  research  is  cost  effective. 

Service  Alberta — Protecting  Information  Assets 

Page  78  Web  application  controls — Recommendation  No.  7 — Repeated 

We  again  recommend  that  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the 
Chief  Information  Officer  Council,  develop  and  implement  well  designed  and  effective  controls  to 
ensure  all  Government  of  Alberta  web  applications  consistently  meet  all  security  standards  and 
requirements. 

Treasury  Board — Assessing  and  Prioritizing  Alberta's  Infrastructure 
Needs 

Page  89  Department — Deferred  maintenance — Recommendation  No.  8 — Repeated 

We  again  recommend  that  the  Department  of  Treasury  Board,  in  consultation  with  departments, 
develop  objectives,  timelines  and  targets  for  reducing  deferred  maintenance,  and  include 
information  on  deferred  maintenance  in  the  province's  Capital  Plan. 


Page  92   Department — Maintaining  assets  over  their  life — Recommendation  No.  9 — Repeated 

We  again  recommend  that  the  Department  of  Treasury  Board  establish  a  process  that  enables 
public  infrastructure  assets  to  be  properly  maintained  over  their  life. 
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Financial  Statement  Audits  and  Other  Assurance  Work 


Advanced  Education  and  Technology 

Page  108   Department — Improve  controls  over  student  finance  program — Recommendation 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology  improve  its  controls 

over  the  student  finance  program  by: 

properly  approving  changes  to  student  loan  programs  and  communicating  the  changes  to  staff 
reviewing  and  approving  changes  to  assumptions  and  methodologies  used  in  calculating  the 
allowance  for  loan  relief  completion  payments  and  loan  subsidies 

Page  111   Athabasca  University — Establish  IT  resumption  capabilities — Recommendation  No.  10 

We  recommend  that  Athabasca  University: 

assess  the  risks  and  take  the  necessary  steps  to  establish  appropriate  off-site  disaster  recovery 
facilities  that  include  required  computer  infrastructure  to  provide  continuity  of  critical  IT  systems 
complete  and  test  its  existing  disaster  recovery  plan  to  ensure  continuous  services  are  provided 
in  the  event  of  a  disaster 

Page  112   University  of  Calgary — Improve  access  to  data  and  systems — Recommendation 
No.  11 — Repeated 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in  the  PeopleSoft  system  by: 
finalizing  and  implementing  the  security  policy  and  the  security  design  document 
ensuring  that  user  access  privileges  are  consistent  with  both  the  user's  business  requirements 
and  the  security  policy 

Page  118  University  of  Lethbridge — Improve  endowment  policies — Recommendation 

We  recommend  that  the  University  of  Lethbridge  improve  its  endowment  policies  and  procedures 
by: 

clarifying  its  goals  for  preserving  the  real  value  of  endowments,  and  how  it  plans  to  achieve  this 
tracking  investment  income  between  amounts  for  preserving  the  real  value  of  investments  and 
amounts  available  for  spending 

Agriculture  and  Rural  Development 

Page  122  Agriculture  Financial  Services  Corporation — Verify  accuracy  of  specific  loan  loss 
allowance — Recommendation 

We  recommend  that  Agriculture  Financial  Services  Corporation  improve  the  effectiveness  of 
processes  to  determine  the  specific  loan  loss  allowance  on  impaired  loans. 

Page  124  Agriculture  Financial  Services  Corporation — Improve  processes  for  conducting 
compliance  audits — Recommendation  No.  12 

We  recommend  Agriculture  Financial  Services  Corporation  improve  its  processes  for  conducting 
compliance  audits  and  investigations  by: 

clearly  defining  the  roles  and  responsibilities  of  the  Program  Cross  Compliance  and 

Investigations  group 

improving  the  coordination  between  PCCI  and  program  areas 

Education 

Page  133   Northland  School  Division  No.  61 — Obtaining  interest  in  land — Recommendation  No.  13 

We  recommend  that  Northland  School  Division  No.  61  develop  processes  to  ensure  it  obtains  a 
valid  legal  interest  in  land  before  beginning  construction  of  schools. 

Page  134   Northland  School  Division  No.  61 — Improving  financial  reporting — 
Recommendation  No.  14 

We  recommend  that  the  Northland  School  Division  No.  16  improve  its  financial  reporting  by: 
preparing  and  presenting  quarterly  financial  information  to  the  Official  Trustee 
regularly  reviewing  and  reconciling  general  ledger  accounts 
preparing  year-end  financial  statements  promptly 
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Employment  and  Immigration 

Page  136  Workers'  Compensation  Board — Computer  access — Recommendation 

We  recommend  that  the  Workers'  Compensation  Board  ensure  that  access  to  computer  systems  is 
restricted  to  appropriate  staff. 

Environment 

Page  143  Department — Improve  and  document  grant  monitoring  activities — 
Recommendation  No.  15 

We  recommend  that  the  Department  of  Environment  improve  its  monitoring  of  compliance  with 
conditions  in  grant  agreements  and  retain  evidence  of  the  review. 

Page  144  Department — Clarify  what  are  valid  regulatory  expenses — Recommendation 

We  recommend  that  the  Department  of  Environment  clarify  the  kind  and  extent  of  regulatory 
expenses  that  can  be  paid  out  of  the  Climate  Change  and  Emissions  Management  Fund. 

Finance  and  Enterprise 

Page  150  Department — Improve  financial  reporting  processes — Recommendation  No.  16 

We  recommend  that  the  Department  of  Finance  and  Enterprise  improve  its  year-end  financial 
reporting  processes. 

Page  153  Alberta  Treasury  Branches — Improve  credit  monitoring — Recommendation — Repeated 

We  again  recommend  that  Alberta  Treasury  Branches  promptly  update  the  derivative  credit  limits 
disclosed  in  the  Da/Vy  Derivative  Credit  Exposure  Report. 

Page  154  Alberta  Treasury  Branches — Improve  internal  controls  over  fair  value  calculations — 
Recommendation — Repeated 

We  again  recommend  that  Alberta  Treasury  Branches  improve  controls  over  the  calculation  of  the 
fair  value  for  its  derivatives  and  securities  by: 

implementing  a  peer  review  and  approval  process  for  inputs  and  assumptions  used  in  the 

valuation  models.  Alternatively,  for  derivatives,  management  could  use  a  benchmarking  process 

to  assess  reasonability  of  its  calculated  fair  values 

documenting  the  results  of  this  work  consistently 

Page  156  Alberta  Investment  Management  Corporation — Help  clients  meet  financial  reporting 
requirements — Recommendation  No.  17 

We  recommend  that  the  Alberta  Investment  Management  Corporation  identify  financial  reporting 
requirements  in  its  investment  management  agreements  with  clients.  The  Alberta  Investment 
Management  Corporation  should  meet  with  the  clients  to  understand  their  financial  reporting 
frameworks,  their  financial  accounting  requirements  and  the  investment-related  information  they 
need  to  prepare  financial  statements. 

Page  157  Alberta  Investment  Management  Corporation — Improve  controls  over  investment 
general  ledger — Recommendation  No.  18 

We  recommend  that  the  Alberta  Investment  Management  Corporation  implement  additional  control 
procedures  so  that  the  Corporation  itself  can  ensure  the  completeness  and  accuracy  of  its  Genvest 
investment  general  ledger. 

Page  158  Alberta  Investment  Management  Corporation — Strengthen  IT  change  management 
controls — Recommendation 

We  recommend  that  the  Alberta  Investment  Management  Corporation  strengthen  its  IT  change 
management  controls  to  ensure  that  it  adequately  assesses  the  risks  of  changes,  and  does  not 
make  changes  outside  of  the  change  management  process. 
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Health  and  Wellness 

Page  164  Alberta  Health  Services — Financial  operations  transition  plan — Recommendation  No.  19 

We  recommend  that  Alberta  Health  Services  prepare  and  implement  a  formal  transition  plan  for  the 
organization's  finance  operations.  The  plan  should  include  and  integrate  the  following: 

assessing  the  resources,  timelines  and  critical  path  needed  to  consolidate  the  general  ledger 
and  sub-ledger  systems 

ensuring  rigorous  change  management  controls  are  applied  before  implementing  application 
system  changes 

harmonizing  financial  reporting  policies  and  processes  across  the  organization 
determining  the  adequate  amount  of  human  resources  and  skill  levels  required  to  implement 
the  plan  and  then  keep  the  processes  operational 


8-nr 


Page  166  Alberta  Health  Services — Funding  agreements  for  capital  projects — 
Recommendation  No.  20 

We  recommend  that  Alberta  Health  Services  ensure  that  funding  agreements  are  signed  prior 
to  commencement  of  construction  of  capital  projects,  and  are  formally  amended  when  there  are 
significant  changes  in  the  scope  of  a  capital  project. 

Page  167  Alberta  Health  Services — Effectiveness  of  insurance  reciprocal — 
Recommendation  No.  21 

We  recommend  that  Alberta  Health  Services  assess  the  effectiveness  of  its  arrangement  with 
the  Liability  and  Property  Insurance  Plan  as  a  risk  management  tool,  and  assess  the  resulting 
accounting  implications. 

Page  168  Alberta  Health  Services — Accounting  for  restricted  contributions — 
Recommendation  No.  22 

We  recommend  that  Alberta  Health  Services  implement  consistent  and  efficient  accounting 
processes  for  externally  restricted  contributions  to  assure  the  AHS  Board  that  it  is  complying  with 
the  restrictions  attached  to  those  contributions. 

Page  169  Alberta  Health  Services — Year-end  financial  reporting  processes — 
Recommendation  No.  23 — Repeated 

We  again  recommend  that  Alberta  Health  Services  improve  its  year-end  financial  reporting 
processes  by  improving  processes  to  identify  and  resolve  key  accounting  risks  and  reporting  issues 
on  a  timely  basis. 

Justice  and  Attorney  General 

Page  180   Office  of  the  Public  Trustee — New  vendor  set-up — Recommendation  No.  24 

We  recommend  that  the  Office  of  the  Public  Trustee  improve  controls  for  inputting  new  vendors  in 
its  Public  Trustee  Information  System. 

Page  180  Office  of  the  Public  Trustee — Recurring  payments — Recommendation 

We  recommend  that  the  Office  of  the  Public  Trustee  improve  its  controls  for  issuing  and  stopping 
recurring  payments. 

Municipal  Affairs 

Page  183  Department — User  access  to  information  systems — Recommendation 

We  recommend  that  the  Department  of  Municipal  Affairs  improve  its  procedures  for  granting  and 
removing  user  access  to  its  business  applications,  and  ensure  those  procedures  are  followed. 

Service  Alberta 

Page189  Access  to  motor  vehicle  registration  data — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  strengthen  its  control  over  granting  user  access 
to  its  motor  vehicles  system. 
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Transportation 

Page197  Department — Improve  processes  to  value  donated  assets  in  the  Department  financial 
statements — Recommendation 

We  recommend  that  the  Department  of  Transportation: 
enter  into  agreements  with  donors  that: 

provide  the  Department  of  Transportation  with  assurance  on  the  fair  value  of  the  donated 
assets 

specify  whether  donation  receipts  will  be  issued 
document  its  support  for  the  valuation  reported  in  its  financial  statements,  including  the 
procedures  performed,  assumptions  made  and  source  documents  reviewed 
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Summary 


The  2009  federal  government  budget  introduced 
the  Economic  Action  Plan  in  response  to  the 
economic  downturn  and  to  deal  with  concerns 
about  the  potential  impact  of  the  global  recession 
on  the  Canadian  economy.  "Building  infrastructure 
to  create  jobs"  was  a  component  of  this  plan  and 
the  Infrastructure  Stimulus  Fund  was  a  program 
within  this  component. 

What  we  examined 

We  examined  the  Alberta  government's 
systems  that  allow  management  to  determine 
if  Alberta  follows  the  terms  and  conditions  of 
the  Infrastructure  Stimulus  Fund  Agreement 
{ISF  Agreement)  between  the  governments  of 
Canada  and  Alberta. 

Why  this  is  important  to  Albertans 

The  federal  government's  Infrastructure  Stimulus 
Fund  (ISF)  will  provide  approximately  $424  million 
to  Alberta  to  assist  in  the  economic  recovery. 
Albertans  need  to  be  confident  that  these  public 
funds  are  properly  administered. 

What  we  found 

The  Government  of  Alberta  used  existing  programs 
and  processes  to  administer  the  ISF  program  in 
Alberta,  and  where  necessary,  made  changes  to 
accommodate  ISF  requirements.  We  found  that 
systems  are  in  place  for  management  to  determine 
that  the  terms  and  conditions  of  the  ISF  Agreement 
are  being  followed. 

The  risk  to  the  government 

Were  Alberta  not  to  comply  with  all  of  the 
ISF  Agreement's  terms  and  conditions,  some  or  all 
of  the  project  costs  may  no  longer  qualify  for  ISF 
and  the  federal  government  may  seek  to  recover 
these  funds  from  Alberta. 

What  needs  to  be  done 

We  found  a  system  that  was  performing  as 
intended  and  therefore,  make  no  recommendations 
for  improvement. 


Audit  objectives  and  scope 


Our  objective  was  to  determine  if  there  were 
systems  in  place  that  allow  management  to 
determine  if  the  Alberta  government  adheres  to 
the  terms  and  conditions  of  the  ISF  Agreement. 
We  excluded  projects  where  recipients  negotiated 
separate  agreements  directly  with  the  federal 
government  for  ISF  funding,  such  as  the  City  of 
Edmonton  and  the  City  of  Calgary  transit  projects. 


Background 


The  "building  infrastructure  to  create  jobs" 
component  includes  programs  funded  by 
the  federal  government  as  well  as  programs 
cost-shared  between  the  federal,  provincial  and 
municipal  levels  of  government.  Some  of  the 
cost-shared  programs  are  short-term,  requiring 
project  completion  by  March  2011.  These 
short-term  programs  provide  targeted  temporary 
stimulus  to  the  economy  to  reduce  job  loss  or 
create  new  jobs.  The  federal  contribution  to  Alberta 
Infrastructure  was  for  short-term  projects: 


Program 

Total  Federal 
Commitment 

Federal 
Contribution 
to  Alberta 

(millions  of  dollars) 

Infrastructure  Stimulus  Fund  (ISF) 

$4,000 

$424 

Knowledge  Infrastructure  Program 

2.000 

195 

Affordable  Housing  Initiative 

1,475 

119 

Communities  Component  Top-up 

500 

52 

Recreational  Infrastructure 
Program 

500 

54 

TOTAL  for  short-term, 
cost-shared  programs 

$8,475 

$844 

Table  1 :    Federal  Contributions  to  Alberta  Infrastructure 
(short-term  programs) 

Our  audit  focused  on  ISF,  which  is  the  largest 
program  within  the  infrastructure  component.  ISF  is 
a  new  federal  program,  with  a  significant  provincial 
funding  requirement.  The  purpose  of  the  $4  billion 
ISF  is  to  provide  funding  towards  the  rehabilitation 
or  construction  of  provincial,  territorial,  municipal 
and  community  infrastructure  projects.  The  federal 
contribution  to  Alberta  will  be  up  to  approximately 
$424  million  and  Alberta's  contribution  will  be  up 
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to  approximately  $355  million.  Funding  is  for  two 
years  for  projects  that  can  begin  construction  and 
be  completed  by  March  31,  2011.  This  program 
provides  federal  funding  of  up  to  50  percent 
for  provincial  projects  and  up  to  33  percent1  for 
municipal,  community  and  not-for-profit  projects. 

The  federal  government's  $424  million  was 
allocated  to  the  following  types  of  projects:2 


Type  of  Project 

Number  of 
Projects 

Federal 
Funding 

Total 
Eligible 
Costs  for 
Projects 

(millions  of  dollars) 

Provincial 

127 

$220 

$454 

Community 

86 

89 

280 

Municipal 

10 

7 

26 

Not-for-profit 

3 

32 

73 

Sub-total 

226 

$348 

$833 

Projects  Under 
Separate  Agreements 

5 

73 

Program  Delivery 
Costs 

3 

Total 

231 

$424 

Table  2:    ISF  Allocation  to  Alberta  Projects 

The  Ministry  of  Treasury  Board  provided 
coordination  and  oversight  of  the  ISF  program  in 
Alberta.  The  following  departments  are  responsible 
for  the  delivery  of  projects  within  the  program: 
Department  of  Transportation  is  responsible 
for  the  provincial,  community  and  municipal 
projects.  The  following  units  within  the 
Department  of  Transportation  are  directly 
involved: 

The  Programming  Unit  is  responsible  for 
the  127  provincial  projects,  most  of  which 
are  highway  infrastructure  projects. 
The  Program  Secretariat  is  responsible  for 
86  community  projects.  For  each  project, 
there  is  a  signed  contribution  agreement 
between  the  province  of  Alberta  and 
the  recipient  community  outlining  the 
contractual  responsibilities  of  each  party. 
The  Municipal  Programs  Unit  is  responsible 
for  ten  municipal  projects  that  were 

1  In  exceptional  circumstances,  Canada  may  contribute  up  to 
50  percent. 

2  There  were  several  projects  the  federal  government 
negotiated  directly  with  the  recipients,  therefore,  were 
not  part  of  our  audit.  These  projects  ($73  million)  and  the 
program  delivery  cost  of  approximately  $3  million  account 
for  the  difference  between  $348  million  and  $424  million. 


previously  approved  for  provincial  funding 
under  existing  provincial  programs.  These 
projects  were  subsequently  approved  for 
federal  funding  under  ISF.  A  Memorandum 
of  Agreement  was  signed  for  each  project. 
Department  of  Culture  and  Community  Spirit  is 
responsible  for  three  not-for-profit  projects — the 
GO  Community  Centre,  the  Canada  Sports  Hall 
of  Fame  and  the  Citadel  Theatre  renovation. 
These  projects  were  initially  approved  for 
provincial  funding  under  the  Major  Community 
Facilities  Program.  The  original  Grant  Funding 
Agreements  were  amended  to  include  the 
terms  and  conditions  of  the  ISF  for  the  federal 
funding  component. 

The  ISF  program  is  intended  to  immediately 
stimulate  activity  in  the  economy.  In  order  to 
speed  up  the  introduction  and  delivery  of  the 
program,  processes  were  streamlined.  The  federal 
government  announced  its  intention  to  speed  up 
payments  for  projects  that  were  ready  to  go.  At 
the  provincial  level,  there  was  a  need  to  ensure 
that  adequate  management  systems  and  controls 
were  in  place  to  monitor  progress  of  the  projects. 
Introducing  a  significant  infrastructure  program 
within  a  short  timeframe  naturally  raises  concerns 
about  whether  adequate  controls  will  be  maintained 
to  ensure  that  value  for  money  is  received.  Some 
considerations  for  our  audit  were: 

•  Need — Is  there  a  demonstrated  need  for  the 
projects  funded  through  the  program? 

Projects  receiving  federal  funding  in  Alberta 
were  part  of  a  provincial  planning  process 
or  had  been  approved  for  provincial  funding 
prior  to  the  ISF  program.  Alberta's  priority  in 
identifying  projects  for  ISF  funding  was  to 
select  projects  that  were  planned  sufficiently  to 
be  "shovel  ready"  and  that  could  be  completed 
within  a  two-year  timeframe. 

•  Quality — Are  approved  projects  subject  to  the 
same  construction  and  development  standards 
as  capital  projects  with  a  longer  timeframe? 

Alberta  has  established  processes  and 
standards  for  infrastructure  projects. 


16 


Report  of  the  Auditor  General  of  Alberta 


October  2010 


^ross-Ministry 


Infrastructure  Stimulus  Fund 


ISF  funded  projects  are  subject  to  the  same 

standards: 

Provincial  highway  projects  are  subject  to 
the  same  public  tendering  and  procurement 
processes  as  non-ISF  projects. 
Communities  agree  to  use  an  open  and 
transparent  procurement  process  as  a  term 
of  the  contribution  agreement  they  sign 
with  the  province. 

Municipal  and  not-for-profit  projects  were 
approved  for  provincial  funding  prior  to 
the  ISF  application  for  federal  funding. 
Provincial  standards  are  part  of  the  funding 
agreements  for  these  programs. 

Cost — Is  there  a  risk  that  tight  timelines  will 
inflate  construction  costs  or  that  the  targeted 
sectors  will  have  capacity  issues? 

The  economic  downturn  that  drove  the  need  for 
the  ISF  program  has  also  resulted  in  an  overall 
reduction  in  construction  costs  for  infrastructure 
projects.  Examples  are: 

Provincial  highway  project  costs  are 
significantly  lower  than  originally 
projected.  The  reduced  costs  allowed  the 
province  to  add  29  additional  projects3 
worth  approximately  $134  million  in 
January  2010. 

Cost  savings  for  community  projects 
have  also  been  identified.  In  some  cases, 
communities  have  applied  to  expand  the 
scope  of  projects  to  use  remaining  funds. 

Shovel  ready  (timing) — Were  projects  ready 
to  go  such  that  they  could  be  completed  by 
March  31,  2011? 

In  order  for  capital  infrastructure  projects  to 
begin  construction  immediately  upon  approval, 
the  planning  phase  would  have  had  to  be 
completed  before  receiving  program  funding. 
If  project  planning  has  not  been  adequately 
completed  for  approved  projects,  there  is  a 
risk  that  projects  may  not  be  completed  on 
time  and  within  budget.  ISF  projects  were 
identified  based  on  their  ability  to  be  completed 


3     These  are  included  in  the  127  provincial  projects  in  Table  2 
on  page  16. 


by  March  31,  2011.  Project  completion  within 
the  agreed  upon  timeframe  is  a  key  risk  to  the 
successful  implementation  of  the  ISF  program. 
As  a  result,  this  was  part  of  the  scope  of  our 
audit.  We  established  criteria  to  assess  the 
province's  processes  to  monitor  the  progress  of 
projects. 


Conclusions 


We  concluded  that  there  are  adequate  systems 
in  place  for  management  to  determine  that  the 
terms  and  conditions  of  the  ISF  Agreement  are 
being  followed.  We  make  no  recommendations  to 
government  in  this  report. 

To  provide  a  structure  for  our  work,  we  developed 
and  agreed  with  management  on  the  criteria 
to  use  as  standards  for  our  audit.  During  the 
audit,  we  used  these  same  criteria  to  assess  the 
departments'  systems.  The  departments  met  all 
criteria,  except  for  Criterion  7.  We  were  unable  to 
conclude  on  the  criterion  dealing  with  completed 
projects.  There  are  ongoing  discussions  between 
the  Governments  of  Canada  and  Alberta  to  decide 
which  completed  projects  will  be  required  to  submit 
an  audit  report. 

Criteria:  the  standards  for  our  audit  

We  assessed  the  departments'  performance 
against  these  criteria: 

1 .  Agreements  with  recipients  for  community, 
municipal  and  not-for-profit  projects  are 
consistent  with  and  incorporate  the  terms  and 
conditions  of  the  ISF  Agreement. 

2.  Projects  are  monitored  to  determine  when  the 
projects  begin,  how  they  are  progressing,  and  if 
completion  dates  are  on  schedule. 

3.  Claims  are  processed  in  a  timely  manner,  while 
respecting  appropriate  control  and  review 
procedures. 

4.  Funding  is  used  for  its  intended  purpose; 
only  eligible  costs  incurred  by  recipients  for 
approved  projects  are  paid. 

5.  Cost  sharing  provisions  are  monitored  and 
adhered  to. 

6.  Quarterly  progress  reports  and  other  required 
financial  reporting  is  complete,  accurate,  and 
timely. 
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7.  Completed  projects  are  supported  by  a 
declaration  of  substantial  completion  and  an 
audit  report. 

8.  Recipients  of  funding  adhere  to  the 
requirements  of  all  applicable  environmental 
laws,  regulations,  orders  and  orders  in  council. 

9.  Recipients  of  funding  use  an  effective, 
open  and  transparent  process  for  selecting 
contractors  that  is  consistent  with  the 
Agreement  on  Internal  Trade  and  the  Trade 
Investment  and  Labour  Movement  Agreement 
(TILMA). 


Our  audit  findings 


the  Department  of  Culture  and  Community  Spirit 
have  good  processes  in  place  to  ensure  the  costs 
for  projects  met  the  eligibility  requirements  of  the 
ISF  Agreement.  The  Department  of  Transportation's 
Municipal  Programs  Unit  relied  on  progress  reports 
to  approve  expenses.  Going  forward,  this  unit 
will  receive  more  detailed  information  to  assess 
whether  expenses  meet  the  program  requirements. 

Criterion  5 — Cost  sharing 
We  found  the  Department  of  Transportation's 
Programming  Unit  and  Program  Secretariat,  and 
the  Department  of  Culture  and  Community  Spirit 
have  good  processes  in  place  to  monitor  the  cost 
sharing  amounts  in  provincial,  community  and 
the  not-for-profit  projects.  The  municipal  project's 
information  in  SIMSI4  did  not  always  reflect  the 
current  forecast  costs  and  the  funding  amounts  by 
each  party.  Management  has  agreed  to  update  the 
information  in  SIMSI. 

Criterion  6 — Reporting 

The  province  was  meeting  its  requirements  for 

reporting  to  the  federal  government. 

Criterion  7 — Declaration  and  audit  report 
There  are  ongoing  discussions  between  the 
Governments  of  Canada  and  Alberta  to  decide 
which  completed  projects  will  be  required  to  submit 
an  audit  report.  There  were  some  projects  that 
were  complete;  however,  audit  reports  had  not 
been  submitted  as  it  has  not  yet  been  decided 
whether  they  need  to  submit  one.  We  have 
therefore,  not  concluded  on  this  criterion. 

Criterion  8 — Environmental  regulations 
We  found  the  government  received  assurance 
that  the  funding  recipients  were  adhering  to  the 
applicable  federal  government  environmental 
regulations. 

Criterion  9— TILMA 

For  the  provincial  projects  we  reviewed,  the 
Department  of  Transportation's  Programming  Unit 
followed  an  effective,  open  and  transparent  process 
for  selecting  contractors  consistent  with  the  Trade, 
Investment  and  Labour  Movement  Agreement. 


Criterion  1 — Agreement  terms  and  conditions 
We  examined  the  agreements  between 
Alberta  and  the  recipients  for  the  community, 
municipal  and  not-for-profit  projects.  We  found 
there  were  proper  agreements  in  place  for  the 
community  and  not-for-profit  projects,  including 
the  ISF  Agreement's  terms  and  conditions.  The 
agreements  used  for  municipal  projects  did  not 
contain  all  of  the  terms  and  conditions  of  the 
ISF  Agreement.  Two  conditions  not  contained  are 
reporting  requirements  that  take  place  at  project 
completion  and  do  not  impact  the  delivery  of  the 
program. 

Criterion  2 — Projects  schedule  monitoring 
Although  some  project  start  dates  were  delayed 
until  the  spring  of  2010,  the  projects  are  scheduled 
to  be  completed  before  March  31 ,  2011 . 

Criterion  3 — Timeliness 

We  examined  how  long  it  took  for  the  costs  to  be 

processed  by  the  provincial  government  from  the 

time  the  costs  were: 

submitted  by  the  recipient  for  payment 
reviewed  by  the  province 
submitted  to  the  federal  government 

We  found  the  time  it  took  to  process  these  costs 
was  reasonable. 

Criterion  4 — Funding  used  for  intended 
purposes 

We  found  the  Department  of  Transportation's 
Programming  Unit  and  Program  Secretariat,  and 
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Summary 


What  we  examined 

We  examined  Athabasca  University's 
IT  governance1  and  project  management2  systems 
to  see  if  they  are  well-designed  and  operating 
effectively  to  support  the  University's  information 
technology  that  supports  business  and  technology 
objectives.  We  also  examined  the  University's 
plan  to  improve  its  financial,  human  resources  and 
payroll  systems,  which  are  not  integrated. 

Why  this  is  important  to  Albertans 

The  University  plans  to  invest  approximately 
$90  million  over  the  next  ten  years  to  update  and 
maintain  its  information  and  communications 
technologies.  These  technologies  are  critical  for 
the  University  to  deliver  online  courses  to  students 
and  provide  the  financial  and  administrative 
systems  that  support  the  academic  environment 
and  student  services.  The  University  currently  has 
30  IT  projects  underway. 

These  diverse,  costly  and  often  complex  IT  projects 
require  that  the  University's  governance  and  project 
management  processes  provide  clear  oversight 
and  accountability.  Without  clear  governance  and 
project  management  processes,  these  IT  projects 
can  overwhelm  the  University's  resources  and  may 
not  meet  the  University's  needs  or  be  delivered 
cost-effectively  and  on  time. 

What  we  found 

In  response  to  a  recommendation  in  our 
October  2005  Report,  the  University  established 
an  IT  governance  framework  to  implement 


1  Governance  includes  the  processes  and  responsibilities 
for  management  and  oversight  of  all  projects.  These 
processes  include  strategic  planning,  prioritization  and 
approval  for  IT  projects  and  systems  development. 

2  Project  management  is  the  application  of  knowledge, 
skills  and  techniques  to  meet  a  project's  objectives  and 
requirements.  It  includes  project  initiation,  planning, 
execution  and  termination. 


its  IT  strategic  plans.  It  established  three 
IT  steering  committees  for  administration, 
learning  and  research,  and  computing  services. 
These  committees  recommend  projects  to  the 
University's  executive  committee  for  approval  and 
funding.  However,  University  still  does  not  have 
well-designed  and  effective  IT  policies,  processes, 
standards  and  project  management  systems. 

IT  Governance,  Strategic  Planning  and  Project 
Management  Deficiencies 
Management  was  unable  to  demonstrate  that  it  is 
implementing  its  IT  strategic  plans  cost-effectively, 
and  that  it  achieved  the  expected  results  and 
benefits.  The  University  had  not: 

1.  developed  an  integrated  IT  delivery  plan3  to 
link  the  University's  individual  IT  projects  to  its 
IT  Strategic  Plan,  in  order  to  highlight  project 
priorities,  critical  sequence,  inter-dependencies, 
and  high-level  risks 

2.  consistently  prepared  business  cases  to 
provide  key  project  planning  information  to  the 
steering  committees  and  executive  committee, 
including  details  on  project  objectives, 
development  costs  and  projected  maintenance 
costs,  benefits  and  risks 

3.  consistently  measured  and  reported 
sufficient  and  relevant  project  status 
information  to  the  steering  committees  and 
executive  committee  to  allow  them  to  effectively 
govern  projects  and  provide  oversight  to  the 

IT  strategic  planning  process 

4.  formalized  project  management  standards 
to  provide  clear  and  consistent  procedures  on 
how  to  manage  IT  projects 

5.  defined  a  clear  mandate  and  authority  for 
its  project  management  office  to  establish 
and  enforce  standards  and  processes  for 
successful  portfolio  management,  project 
governance,  reporting  and  effective  risk 
management  for  all  IT  projects 


3     See  page  21  for  more  on  an  integrated  IT  delivery  plan. 
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6.   defined  a  formal  systems  development 
methodology  and  architectural  standards 

to  ensure  that  systems  are  developed  and 
implemented  using  an  efficient,  consistent  and 
cost-effective  approach 

We  noted  some  improvement  for  projects  funded 
under  the  federal  government's  Knowledge 
Infrastructure  Program  (KIP)  and  the  Community 
Adjustment  Fund  (CAF).  The  University  recently 
allocated  additional  resources  to  improve  the 
monitoring  and  reporting  of  these  projects — 
although  sustaining  this  improvement  is  at  risk 
because  KIP  and  CAF  funding  is  temporary. 

Lack  of  Integrated  Finance,  Human  Resources 
and  Payroll  Systems 
While  the  University  upgraded  its  student 
information  system,  it  has  not  progressed  with 
its  2005  plan  to  improve  the  integration  and 
efficiencies  in  its  financial,  human  resources  and 
payroll  systems.  IT  strategic  planning  documents 
do  not  clearly  reflect  this  system  integration 
initiative  as  a  priority  project.  The  University's 
business  processes  remain  inefficient,  as 
significant  manual  processes  are  required. 

What  needs  to  be  done 

To  ensure  accountability,  the  University  must 
have  a  common  understanding  of  strategic 
priorities  and  allocation  of  resources,  and  the  tools 
and  information  to  ensure  that  management  is 
developing  and  implementing  the  right  systems 
for  the  University.  These  systems  should  support 
the  University's  goals  and  objectives  (and  not  one 
person's  or  one  group's)  and  management  must 
demonstrate  that  projects  are  implemented  on 
time  and  budget,  and  deliver  the  expected  and 
required  results.  To  achieve  these  improvements, 
the  University  should  resolve  the  six  deficiencies 
identified  above. 

Athabasca  University  should  use  improved 
governance,  strategic  planning  and  project 
management  processes  to  complete  its  plans  to 
resolve  the  inefficiencies  in  its  financial,  human 
resources  and  payroll  systems. 
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Audit  objectives  and  scope 


Our  objective  was  to  determine  if  the  University's 
IT  governance,  strategic  planning  and  project 
management  processes  are  designed  well  and 
operate  effectively  to  achieve  its  business  and 
technology  objectives.  For  this  audit,  we  considered 
whether: 

the  policies  and  processes  are  clearly 
documented  and  communicated  to  relevant 
staff 

roles  and  responsibilities  are  clearly  defined 
information  technology  systems  are  efficient 
and  effective 

We  also  assessed  the  University's  plan  to  integrate 
financial,  human  resources  and  payroll  systems. 


Background 


The  University  offers  approximately  700  courses 
in  approximately  90  undergraduate  and  graduate 
programs  in  arts,  science  and  professional 
disciplines.  It  serves  over  38,000  students  from 
across  Canada  and  the  globe.  The  University  relies 
on  a  large  number  of  IT  applications  and  systems 
to  provide  programs  and  services  to  students  and 
employees.  It  also  has  several  key  administration 
systems  (finance,  materials  inventory  and  HR/ 
payroll)  for  the  operation  of  the  University.  Its  heavy 
reliance  on  IT  to  deliver  programs  and  services 
to  students  underscores  how  critical  effective 
IT  governance  is  for  the  University. 

In  our  October  2005  Report  (no.  19— page  97), 
we  recommended  that  the  University  improve  its 
IT  planning  and  governance  by  establishing  an 
IT  governance  framework  and  developing  an 
IT  strategic  plan  to  integrate  its  critical 
administrative  systems  and  to  address  risks  with 
manual  interventions  and  operational  inefficiencies. 
In  our  October  2007  Report,  we  reported  that 
the  University  had  begun  the  planning  process 
to  replace  its  administration  systems.  The 
IT  steering  committees  approved  an  IT  strategic 
plan  to  resolve  these  issues.  We  reported  that  the 
University  planned  to  develop  an  implementation 
plan  for  a  new  integrated  finance,  payroll  and 
human  resources  system. 
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Athabasca  University's  IT  Governance  Framework 


Governing  Council 


Audit  Committee  of  the 
Governing  Council 


Management 


Executive  Committee 


Chief  Information  Officer  (CIO) 


Learning  and 
Research  Steering 
Committee 


Administration 
Steering 
Committee 


Computing 
Services  Steering 
Committee 


Project  Management  Office  (PMO) 


Note:  Three  steering  committees  provide  strategic  direction  and  recommend  projects  to  the  Executive  Committee  for 
approval  and  funding.  The  CIO  chairs  the  steering  committees  and  is  a  member  of  the  Executive  Committee.  The  PMO 
reports  directly  to  the  CIO. 


The  University's  total  budget  for  2010-2011  is 
approximately  $125  million,  of  which  approximately 
$7.75  million  relates  to  IT.  The  University's 
2009-2013  Business  Plan  anticipates  that 
information  and  communications  technologies 
require  a  major  capital  investment  of  approximately 
$90  million  over  the  next  ten  years,  of  which 
approximately  $80  million  should  be  externally 
funded.  The  federal  government  granted 
$7.6  million,  of  which  the  University  had  received 
$5.7  million. 


Findings  and  recommendations 


Governance  and  oversight  of 
information  technologies 
Background 

In  2005,  the  University  established  an 
IT  governance  framework  for  implementing  its 
Information  Technology  Systems  Operating  Plan 
2005-2007  Part  1  followed  by  Part  2  in  2006.  The 
University  has  three  steering  committees — the 
Administration  Steering  Committee,  Learning 
and  Research  Steering  Committee  and 
Computing  Services  Steering  Committee.  These 
committees  review  project  proposals  and  make 
recommendations  on  which  projects  to  submit  for 
executive  committee's  final  approval  and  funding. 


Recommendation:  improve  governance 
and  oversight  of  information  technology 


RECOMMENDATION  NO.  1 


We  recommend  that  Athabasca  University 
continue  to  improve  its  IT  governance  by: 
developing  an  integrated  IT  delivery  plan 
that  aligns  with  the  University's  IT  strategic 
plan 

requiring  business  cases  for  IT  projects 
that  include  key  project  information  such 
as  objectives,  costs-benefit  assessments, 
risks  and  resource  requirements  to  support 
the  steering  committees'  and  executive 
committee's  decisions  and  ongoing  project 
oversight 

improving  the  coordination  and 
communication  between  the  IT  steering 
committees  in  reviewing,  approving  and 
overseeing  projects 


Criteria:  the  standards  for  our  audit 

Athabasca  University  should  have  effective 
processes  to  govern  IT  strategic  planning  and 
project  implementation.  This  includes  providing  key 
planning  information  to  the  executive  and  steering 
committees  on  all  projects.  This  information  should 
include  the  project's  scope,  objectives,  risks, 
resource  requirements  and  budget. 
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Our  audit  findings 


Key  Points 


•  An  integrated  delivery  plan  is  not  prepared 

•  The  IT  Strategic  Plan  is  out-dated 

•  Key  planning  information  lacking  or  not 
considered— the  University  does  not  consistently 
require  or  prepare  business  cases  for  IT  projects 

•  Coordinating  IT  governance  could  be  improved 

We  found  that  the  University  does  not  have  an 
integrated  IT  delivery  plan.  An  integrated  plan 
would  set  out  how  the  planned  IT  initiatives 
and  projects  in  administration,  academic  and 
computing  services  align  with  the  University's  IT 
Strategic  Plan.  Such  a  plan  would  also  set  out 
the  available  budgets  and  resources,  the  critical 
sequence  in  which  to  undertake  projects,  and  the 
interdependencies  of  projects  to  ensure  projects 
are  adequately  resourced  and  that  the  right  skills 
are  available. 

An  IT  delivery  plan  would  help  the  University 
determine  how  changes,  delays  and  cost  overruns 
on  individual  projects  might  affect  other  projects 
as  well  as  its  overall  strategic  plan,  budgets  and 
resources.  Although  the  University  has  created  an 
integrated  plan  for  the  KIP  and  CAF  program  after 
the  start  of  this  audit,  these  improvements  are  at 
risk  after  this  funding  ends.  These  improvements 
should  apply  to  all  IT  projects  in  the  University's 
IT  Strategic  Plan  and  AU  IT  Roadmap. 

We  also  found  that  the  University's  IT  Strategic 
Plan  is  not  current.  It  has  not  been  revised  to 
include  the  KIP  and  CAF  programs.  The  University 
has  implemented  new  learning  management  and 
content  management  systems,  and  other  smaller 
IT  projects.  However,  we  were  unable  to  determine 
how  many  other  projects  were  completed  because 
of  conflicting  plans  and  missing  information  in  the 
project  libraries  and  IT  governance  files. 

The  IT  steering  committees  and  executive 
committee  lack  key  and  relevant  planning 
information  they  need  to  make  informed  decisions. 
We  found  that  the  University  does  not: 

consistently  require  or  prepare  business  cases 
for  IT  projects — The  information  that  the  Chief 


Information  Officer  presents  to  IT  steering 
committees  is  not  consistently  documented. 
The  Project  Management  Office  should  provide 
the  committees  with  key  and  relevant  planning 
information  that  would  normally  be  in  formal 
project  business  cases,  such  as  a  budget, 
description  of  project  benefits,  dependencies, 
risks  and  mitigating  strategies  and  expected 
operating  costs. 

effectively  assess,  at  the  planning  phase,  the 
ongoing  costs  and  impacts  on  Computing 
Services  to  maintain  the  new  information 
technologies — Ongoing  IT  costs  for  the  support 
and  maintenance  of  new  systems  are  generally 
absorbed  into  the  existing  resource  pool  and 
budget.  This  strains  their  computing  services' 
capability  and  capacity  to  deliver  IT  services  to 
the  University. 

sufficiently  consider,  during  the  IT  governance 
and  strategic  planning  processes,  whether 
the  University's  IT  organization  has  the 
capacity  and  the  expertise  to  deliver  projects 
on  time  and  on  budget,  and  to  support  newly 
implemented  systems — For  example,  some 
IT  staff  were  assigned  project  management 
responsibilities  without  additional  resources  or 
support  to  complete  their  normal  duties,  which 
causes  priority  conflicts  within  the  computing 
services  team. 

prioritize,  communicate  and  account  for 
short-term  projects  (less  than  20  days)  when 
determining  the  overall  IT  resource  plan — The 
University  decided  to  exclude  this  information 
from  its  planning  and  governance  processes 
because  these  projects  individually  are  too 
small.  However,  collectively  they  may  require 
significant  resources  to  complete.  Therefore, 
the  committees  should  receive  this  information 
in  summary  format  so  the  committees  are  fully 
aware  of  all  IT  commitments.  Not  knowing 
the  full  extent  of  all  IT  projects  and  available 
resources  may  result  in  over-committing 
IT  and  business  staff  and  operational  funding. 
This  could  impede  the  progress  and  success 
of  committed  and  approved  IT  projects  and 
services. 
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Steering  committees  meet  separately  each  month 
to  make  decisions  that  affect  their  respective 
business  areas.  They  make  their  decisions 
in  isolation  from  the  other  committees.  While 
the  University's  executive  committee  reviews 
all  projects  for  final  approval  and  funding,  the 
University  does  not  have  an  integrated  delivery 
plan  for  all  IT  projects  to  provide  sufficient  and 
relevant  information  to  the  steering  committees 
and  executive  committee  when  making  their 
decisions.  For  example,  the  IT  Strategic  Plan  and 
the  AU  IT  Road  Map  documents  do  not  contain 
details  on  project  dependencies,  risks  and  resource 
needs. 

Athabasca  University  should  consider  the  following 
key  IT  governance  practices  to  improve  its 
governance  process:4 

1 .  Establish  the  basis  for  project  governance, 
approval  and  measurement — including 
defining  roles  and  accountabilities,  policies  and 
standards  and  associated  processes. 

2.  Evaluate  project  proposals  and  business  cases 
to  select  those  that  are  the  best  investment  of 
funds  and  scarce  resources  and  are  within  the 
organization's  capability  and  capacity  to  deliver. 

3.  Enable  through  resourcing  of  projects  with  staff 
and  consultants,  harnessing  and  managing 

of  business  support  and  the  provision  of  the 
governance  resources. 

4.  Define  the  "desired  business  outcomes"  (end 
states),  benefits  and  value — the  business 
measures  of  success  and  overall  value 
proposition. 

5.  Control  the  scope,  contingency  funds,  overall 
project  value  and  priorities. 

6.  Monitor  the  project's  progress,  stakeholder's 
commitment,  results  achieved  and  the  leading 
indicators  of  failure. 

7.  Measure  the  outputs,  outcomes,  benefits  and 
value — against  both  the  plan  and  measurable 
expectations. 

8.  Act  to  "steer"  the  project  into  the  organization, 
remove  obstacles,  manage  the  critical  success 


4      http://www.itgi.org — IT  Governance  Institute  (ITGI)  http:// 
www/isaca.org — Information  Systems  Audit  and  Control 
Association  (ISACA) 


factors  and  remediate  project  or  benefit- 
realization  shortfalls. 
9.    Develop  the  organization's  project  delivery 
capability — continually  building  and  enhancing 
its  ability  to  deliver  more  complex  and 
challenging  projects  in  less  time  and  for  less 
cost  while  generating  the  maximum  value. 

The  University's  IT  planning  documents  are 
incomplete  and  do  not  provide  the  necessary 
information  to  assist  the  committees  to  make 
informed  decisions  on  what  projects  to  proceed 
with,  delay  or  cancel. 


Implications  and  risks  if  recommendation 
not  implemented 

The  University  may  adopt  a  piecemeal  approach 
to  IT  projects  without  sufficient  and  relevant 
information.  This  may  result  in  outdated  academic 
and  administration  systems,  overlapping  of 
systems  that  provide  the  same  functionality  and 
unnecessary  spending  of  IT  budgets,  all  of  which 
could  impede  the  University's  ability  to  achieve  its 
strategic  business  objectives. 

Portfolio  and  project  management 

processes 

Background 

Effective  project  management  ensures  individual 
projects  are  delivered  on  time,  on  budget  and 
that  they  meet  users'  needs.  Portfolio  project 
management5  helps  ensure  the  right  projects  are 
done  at  the  right  time  and  in  the  right  order  within 
available  budget  and  resources,  and  managing 
conflicts  or  issues  between  projects. 

In  2008,  the  University  established  a  project 
management  office  (PMO)  to  provide  guidance 
on  project  management  and  assigned  a  manager 
part-time  to  oversee  the  PMO.  The  manager 
reports  to  the  Chief  Information  Officer.  The 
PMO  developed  some  project  management 

5     Portfolio  management  is  a  process  of  grouping  like 

projects  that  benefit  a  particular  business  area  or  corporate 
service,  for  the  purpose  of  collectively  managing  assigned 
resources,  business  transformation  and  readiness,  funding, 
and  collectively  assessing  expected  benefits. 
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processes,  tools  and  templates  to  assist  project 
managers.  The  University  used  federal  government 
funding  to  provide  additional  resources  to  the  PMO 
to  help  improve  project  management  for  projects 
covered  under  the  Knowledge  Infrastructure 
Program  funding. 

Recommendation:  improve  portfolio  and 
project  management  processes 


RECOMMENDATION  NO.  2 


We  recommend  that  Athabasca  University 
continue  to  improve  its  portfolio  management 
and  project  management  processes  for  IT 
projects  by: 

clarifying  and  communicating  the  mandate 
and  authority  of  the  project  management 
office 

setting  project  management  and 
architectural  standards,  processes  and 
methodologies,  and  training  project 
managers  on  these 

monitoring  and  enforcing  project  managers' 
adherence  to  these  standards,  processes 
and  methodologies 
tracking  and  managing  project 
dependencies  on  scope,  risks,  budgets  and 
resource  requirements 

Criteria:  the  standards  for  our  audit 

The  University  should  have  effective  project 
and  portfolio  management  systems  to  manage 
individual  projects  and  dependencies  on  other 
projects.  This  includes  a  project  management  office 
with  appropriate  authority  and  sufficient  skilled 
resources  to  set,  monitor  and  enforce  project 
management  standards  and  software  development 
life-cycle  methodology. 


Our  audit  findings 


Kev  Points 


Project  management  processes,  tools 
and  templates  are  incomplete  and  are  not 
consistently  implemented  orfollowed  for  all 
IT  projects 

The  PMO  lacks  the  mandate  and  authority 

to  set,  monitor  and  enforce  common  project 

management  standards  for  all  projects 

The  University  does  not  have  a  formal  software 

development  methodology 

The  University  does  not  have  a  formal 

IT  architecture  standard 


The  PMO  developed  initial  project  management 
processes,  tools  and  templates.  While  the 
University  implemented  some  improvements  for  the 
federally  funded  projects,  these  processes  are  not 
complete,  nor  are  they  consistently  implemented 
and  followed  for  all  IT  projects.  The  PMO  has 
not  matured  to  the  level  of  having  complete  and 
formalized  standards  for  project  management.  The 
University  needs  to  improve  its  processes  to  plan 
and  manage  the  large  number  of  initiatives  and 
dependencies  of  all  ongoing  IT  projects,  not  just 
federally  funded  projects. 

We  identified  the  following  issues: 

The  PMO  lacks  the  mandate  and  authority 
to  set,  monitor  and  enforce  common  project 
management  standards  for  all  projects,  and 
to  resolve  conflicts  or  issues  on  projects' 
scope,  budget,  timing  and  resources.  Many 
aspects  of  project  management  are  left  to  the 
discretion  of  individual  project  managers,  which 
includes  differing  project  progress  reporting, 
financial  reporting,  stakeholder  engagement, 
risk  management  and  overall  project  planning 
activities. 

The  University  improved  certain  processes 
over  the  federally  funded  projects  by  assigning 
four  additional  staff  to  the  PMO,  using  federal 
funding.  However,  sustaining  the  additional 
staff  is  at  risk  after  2011  when  the  federal 
funding  ends. 

The  PMO  does  not  provide  sufficient  training 
on  its  processes  and  tools  to  project  managers, 
who  are  mostly  contracted  staff. 
Projects  are  not  consistently  managed, 
resulting  in  delays  or  additional  costs.  For 
example,  the  Banner  system  upgrade  and  the 
new  Transfer  Credit  Articulation  system  were 
both  implemented  one  year  late,  without  any 
documented  rationale  for  the  delay. 
The  University  does  not  have  a  formal  software 
development  methodology  to  ensure  that 
IT  staff  and  contractors  follow  a  consistent 
systems  development  practice.  In  addition, 
the  University  does  not  have  formalized 
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IT  architecture  standards  to  guide  the 
University  to  develop  common  IT  infrastructure 
that  would  reduce  the  University's  long-term 
IT  operating  costs.  The  lack  of  an  integrated 
administration  system,  as  evidenced  through 
the  use  of  multiple  stand-alone  sub-systems 
that  differ  in  technology,  is  an  example  of  the 
need  for  IT  architecture  standards. 
The  University  needs  to  improve  its  portfolio 
management  processes  beyond  the  federally 
funded  projects,  to  track  and  manage  all 
projects  and  their  dependencies,  and  resolve 
constraints  and  issues  on  budgets,  resources 
and  risks.  While  risk  management  occurs 
on  individual  projects,  a  risk  management 
approach  for  all  IT  projects  needs  to  be  better 
coordinated  and  integrated. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  an  adequately  staffed  PMO  with  the 
mandate  to  set,  monitor  and  enforce  IT  project 
processes,  the  University  may  not  be  able  to: 
deliver  the  necessary  IT  solutions 
ensure  new  IT  systems  integrate  with  existing 
systems 

promptly  inform  steering  committees  if 

IT  projects  are  experiencing  implementation 

delays  and  cost  overruns 

IT  project  performance  monitoring  and 

reporting 

Background 

The  IT  steering  committees'  primary  role  is  to 
recommend  projects  to  the  executive  committee 
for  funding  and  approval.  The  University  also 
established  the  KIP  Steering  Committee  to 
oversee  the  projects  that  the  federal  government 
funds.  Mature  IT  governance  models  include 
relevant,  sufficient  and  timely  project  progress 
and  performance  reporting  from  the  project 
management  office  to  the  steering  committees  and 
executive  committee,  to  enable  them  to  govern 
and  assess  the  projects  as  part  of  the  ongoing 
governance  framework. 


Recommendation:  formalize  IT  project 
performance  monitoring  and  reporting 


RECOMMENDATION 


We  recommend  that  Athabasca  University 
formalize  and  improve  its  monitoring  and 
oversight  of  information  technology  projects  by: 
improving  its  systems  to  quantify  and  record 
internal  project  costs 
providing  relevant  and  sufficient  project 
status  information  to  the  IT  steering  and 
executive  committees,  and  summarized 
project  information  to  the  Athabasca 
University  Governing  Council  Audit 
Committee 

completing  post-implementation  reviews  on 
projects  to  verify  that  expected  objectives 
and  benefits  were  met  and  identify 
possible  improvements  to  IT  governance, 
strategic  planning  and  project  management 
processes 


Criteria:  the  standards  for  our  audit 

Athabasca  University  should  have  effective 
processes  and  IT  systems  to  provide  accountability 
on  project  accomplishments,  issues  and  risks  of 
failure  to  the  IT  steering  committees,  Executive 
Committee  and  the  Audit  Committee  of  the 
Athabasca  University  Governance  Council.  This 
includes  having  effective  processes  to  quantify 
project  costs,  track  project  progress,  risks  and 
issues,  and  report  key  project  information  to  the 
relevant  committees. 


Our  audit  findings 


Key  Points 


•  The  University  does  not  have  a  way  to  quantify 
and  record  time  and  costs  for  IT,  administration 
and  academic  staff  assigned  to  IT  projects 

•  The  IT  steering,  executive  and  audit  committees 
do  not  have  the  information  they  need  to 
assess  if  the  IT  strategic  plans  are  actually 
achieving  business  objectives  efficiently  and 
cost-effectively 

•  The  University  does  not  review  completed 
projects  to  determine  if  the  stated  objectives 
and  benefits  were  achieved 

Project  costing — The  University  tracks  external 
project  costs  for  contractors,  purchased  software, 
computing  equipment  and  consulting  services. 
However,  the  University  does  not  have  the 
processes,  standards  or  time  tracking  systems  to 
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estimate  or  quantify  and  record  time  and  costs  for 
IT,  administration  and  academic  staff  assigned  to 
IT  projects.  Presently,  the  University  only  accounts 
for  certain  staff  time.  Therefore,  the  University 
cannot  accurately  determine  and  report  the  true 
cost  of  project  development  and  implementation. 

The  University  could  not  provide  us  with  detailed 
project  financial  information,  including  the  actual 
costs  for  many  IT  projects.  For  example,  there 
were  no  project  reports  (budgets  vs  actual,  internal 
and  external  resources,  or  work  breakdown 
structure  "WBS"6  details)  available  for  the 
completed  Contract  Tracking  Project  and  the  Video 
Conferencing  Project. 

Project  reporting — The  University  recently  began 
reporting  some  project  budget  and  schedule 
information  to  the  KIP  Steering  Committee  for 
projects  that  the  federal  government  funds. 
However,  the  University  has  not  historically  and 
still  does  not  provide  the  same  level  of  project 
information  to  the  IT  steering  and  executive 
committees  for  other  IT  projects.  The  information 
should  include  project  budgets  (internal  and 
external  forecasted  costs),  actual  costs,  stages 
of  completion  of  significant  projects  deliverables 
(percent  complete  and  percent  budget  consumed), 
explanations  for  variances,  risks  (and  actions 
taken  to  deal  with  the  causes)  and  dependencies 
between  projects. 

This  enhanced  level  of  detail  is  crucial  for 
the  IT  steering  and  executive  committees  to 
effectively  oversee  the  achievement  of  all 
IT  projects  in  the  University's  business  and 
strategic  plans.  In  addition,  this  information  would 
enable  management  to  demonstrate  to  the  Audit 
Committee  of  the  Governance  Council  that  they  are 
implementing  the  IT  strategic  plans  cost-effectively, 
that  objectives  are  being  met,  risks  are  managed 
and  benefits  have  been  achieved.  The  Audit 
Committee  told  us  that  the  information  they  recently 


6     A  work  breakdown  structure  (WBS)  in  IT  project 

management  defines  and  groups  a  project's  work  elements 
(or  tasks)  in  a  way  that  helps  organize  and  define  the  total 
work  scope  of  the  project. 
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received  for  the  KIP  has  improved  and  is  detailed; 
however,  this  improvement  had  occurred  after  the 
start  of  our  audit. 

Post-implementation  reviews — Since  the 
University  does  not  prepare  business  cases 
with  measurable  objectives  for  IT  projects  (costs 
savings,  operational  efficiencies,  impacts  of  new 
services,  etc.),  it  cannot  effectively  measure  if 
a  project  has  been  successful.  Our  review  of  a 
sample  of  projects  indicated  that  the  University 
measured  their  success  against  high-level 
objectives  (general  statements  on  project  purpose 
and  expectations)  only.  These  high-level  objectives 
are  subjective,  in  addition,  the  University  does 
not  conduct  formal  post-implementation  reviews 
of  completed  projects  to  determine  if  the  stated 
objectives  and  benefits  were  achieved,  and 
to  identify  improvements  to  the  University's 
IT  governance,  strategic  planning  and  project 
management  processes. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  sufficient  and  relevant  reporting  on  project 
progress,  costs,  issues  and  risks  to  achieving 
objectives  and  benefits,  the  IT  steering  committees, 
Executive  Committee  and  Audit  Committee  do 
not  have  the  feedback  information  they  need  to 
assess  whether  the  approved  IT  strategic  plans  are 
actually  achieving  business  objectives  efficiently 
and  cost-effectively. 

Financial,  human  resources  and  payroll 

systems 

Background 

In  2005,  the  University  recognized  problems 
with  its  administration  systems  that  required 
manual  work-arounds  to  ensure  that  financial 
information  flows  accurately  between  the  systems. 
These  systems  are  aging,  system  integration  is 
difficult  because  of  the  differing  technologies  and 
IT  maintenance  and  support  costs  are  growing. 
In  some  cases,  duplicate  information  is  stored, 
which  has  caused  data  errors  and  operational 
inefficiencies.  Most  importantly,  the  finance,  payroll 
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and  human  resource  systems  may  not  meet  the 
growing  business  needs  of  the  University.  Our 
2010  financial  statements  audit  also  highlighted 
inefficiencies  in  the  University's  processing  of 
capital  asset  transactions  due  to  limitations  in  its 
financial  systems. 

The  University  has  11  different  financial,  human 

resources  and  payroll  systems: 

CODA  financial  management  software  for  the 
general  ledger  and  accounts  payable 
Banner  student  information  system  and 
accounts  receivable  module  that  transfers 
information  to  CODA  using  an  in-house  built 
interface 

EmPath  system  for  payroll 

customized  software  for  material  management 

a  stand-alone  "in-house"  developed  system  for 

purchasing 

course  materials  information  system  for 
warehousing  inventory  (information  is 
interfaced  via  real-time  uploads  to  the  Banner 
system) 

expense  claims  and  credit  card  processing 
systems 

contract  management  system 
copyright  management  system 
leave  tracking  system 
staff  hiring  system 

Recommendation:  resolve  inefficiencies 
in  financial,  human  resources  and  payroll 
systems 


RECOMMENDATION 


We  recommend  that  Athabasca  University 
complete  its  plans  to  resolve  the  inefficiencies 
in  its  financial,  human  resources  and  payroll 
systems. 

Criteria:  the  standards  for  our  audit 

Athabasca  University  should  have  efficient  and 
cost-effective  financial,  human  resources  and 
payroll  systems.  To  achieve  this,  the  University 
should  have  effective  IT  strategic  planning 
processes  to  ensure  that  approved  plans  are 


implemented,  and  to  approve  and  document  the 
rationale  and  impact  of  changes  to  approved  plans. 

Our  audit  findings 


Key  Points 


•  Plans  to  integrate  financial,  human  resources 
and  payroll  systems  are  incomplete 

•  Systems  that  share  data  are  not  integrated 
and  require  inefficient  and  costly  manual 
work-arounds 

Plans  to  integrate  financial,  human  resources 
and  payroll  systems  are  incomplete — The 

University's  plan  from  2005,  to  resolve  the 
inefficiencies  in  its  administration  systems,  is 
incomplete.  The  University  upgraded  its  Banner 
student  information  system  in  2008  and  scheduled 
a  new  human  resource  information  system 
project  to  start  in  2010.  The  original  plans  for  an 
integrated  enterprise  resource  planning  system 
were  removed  from  the  strategic  plan  without 
any  documented  rationale  for  the  change  or  a 
formal  assessment  on  how  the  inefficiencies 
would  be  resolved.  Management  and  the  Audit 
Committee  told  us  they  had  ongoing  discussions 
on  the  issues  and  included  this  project  and  budget 
in  the  Academetrics  project  in  the  University's 
capital  plan.  However,  this  decision  is  not  clearly 
documented  and  is  not  in  the  current  IT  strategic 
plan. 

If  this  project  is  a  key  priority  for  the  University, 
then  it  should  remain  prominent  in  the  University's 
strategic  plans.  Any  changes  to  its  name  or  scope 
should  be  clearly  defined  and  communicated  within 
the  IT  governance  process. 

In  2009,  the  University  contracted  a  consultant  to 
prepare  a  business  case  for  an  enterprise  resource 
planning  system.  Alternative  IT  solutions  were 
proposed,  with  costs  and  benefits  identified.  As 
well,  a  high-level  risk  assessment  was  performed 
that  identified  risks  of  not  proceeding  with  the 
project,  such  as: 

•     increasing  ongoing  costs  to  maintain  the 
fragmented  systems 
increasing  duplication  of  administrative 
processes 
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low  morale  of  staff  using  the  existing 
administration  systems 

The  University  has  recently  started  considering 
a  shared  service  arrangement  with  another 
post-secondary  institution,  but  is  still  only  in  the 
planning  phase.  The  University  must  also  consider 
the  issues  with  the  financial,  human  resources  and 
payroll  systems  when  preparing  the  integrated 
delivery  plan  referred  to  in  our  recommendation 
on  page  27,  to  ensure  these  systems  and  business 
operations  can  effectively  support  the  University's 
student  services. 


Implications  and  risks  if  recommendation 
not  implemented 

Systems  that  share  data  and  are  not  integrated 
require  manual  work-around  processes.  These 
processes  are  inefficient,  resulting  in  increases 
to  the  ongoing  operating  costs  of  the  University's 
administration. 
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Summary 


Grant  MacEwan  University  is  implementing  a  new 
enterprise  resource  planning  ERP  system  in  five 
phases.  This  ERP  system  includes  PeopleSoft's 
finance,  human  resources  and  payroll  and  student 
information  modules. 

What  we  examined 

We  determined  if  the  University  has  established 
an  effective  governance  structure  and  project 
management  processes  to  implement  the  first 
phase  of  the  project,  the  finance  module. 

We  also  followed-up  if  the  University  has 
implemented  our  previous  recommendation  to 
develop  and  implement  a  quality  assurance 
program  for  its  enterprise  resource  planning 
renewal  project. 

Why  this  it  important  to  Albertans 

The  new  ERP  system  will  have  a  considerable 
effect  on  the  operations  of  the  University.  The 
University  has  established  a  budget  of  $22  million 
for  the  project.  It  is  important  that  the  University 
establish  an  effective  governance  structure  and 
project  management  system  to  cost-effectively 
implement  the  new  system  and  change  its  business 
processes  and  controls. 

What  we  found 

We  do  not  have  any  recommendations.  The 
University,  with  the  support  of  the  Board  of 
Governors,  adopted  the  approach  to  implement 
the  PeopleSoft  system,  with  minimal  changes. 
To  achieve  this,  the  University  established  a 
well-designed  governance  structure  and  project 
management  standards,  policies  and  processes 
to  oversee  and  implement  the  overall  system.  The 
University  adhered  to  these  policies  and  processes 
for  the  first  phase  of  the  project.  The  Project 
Management  Office  reports  relevant,  accurate 


and  timely  project  status  reports  to  the  Steering 
Committee,  executive  management  and  the 
Finance  and  Audit  Committee. 

The  University  uses  many  processes  and  controls 
within  the  new  system.  Management  indicated  they 
have  already  experienced  immediate  improvements 
in  certain  business  processes.  The  University  is 
reviewing  the  organizational  structure  of  the  finance 
department,  and  implementing  manual  processes 
and  controls  to  maintain  the  system.  It  trained  staff 
on  the  new  system  and  planned  to  provide  more 
training  in  September  after  academic  staff  return. 

We  believe  the  governance  structure  and  project 
management  standards,  policies  and  procedures 
provides  a  good  foundation  for  the  University  to 
implement  the  other  project  phases.  Management 
indicated  that  the  Campus  Solutions  phase  will 
have  a  significant  impact  on  the  University's 
operations.  The  University  should  ensure  that  it 
develops  the  manual  processes  and  controls  for 
the  remaining  phases  before  implementing  the 
system. 

Quality  assurance  program 
The  University  implemented  our  previous 
recommendation  by  developing  and  implementing 
a  quality  assurance  program1  to  provide  assurance 
to  the  Steering  Committee,  Audit  and  Finance 
Committee  and  executive  management  that 
effective  IT  governance  and  project  management 
controls  are  in  place  and  complied  with. 


Audit  objectives  and  scope 


We: 

evaluated  if  the  University  has  effective 
systems  to  govern  and  manage  the 
implementation  of  the  PeopleSoft  ERP  system, 
accurately  convert  data  from  the  old  to  the  new 

1      See  page  31  for  further  details  on  our  follow-up  audit  of  a 
quality  assurance  program. 
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financial  system,  and  implement  well-designed 
and  effective  business  processes  and  controls 
for  the  new  system 

followed-up  if  the  University  has  implemented 
the  recommendation  to  develop  and  implement 
a  quality  assurance  program  for  its  enterprise 
resource  planning  renewal  project 

Our  audit  scope  was  restricted  to  the  Finance 
Wave  1  implementation.2 


Background 


In  our  April  2010  Report  (page  152),  we  reported 
that  the  University  started  several  initiatives  to 
improve  its  control  environment,  resolve  staffing 
and  information  systems  issues,  and  fix  internal 
control  weaknesses.  In  July  2009,  the  University 
began  implementing  a  new  enterprise  resource 
planning  system  to  improve  its  information  systems 
and  business  processes.  The  system  uses  Oracle's 
PeopleSoft  suite  of  financial,  human  capital 
management  and  campus  solutions.  The  University 
contracted  with  a  consortium  of  IBM,  Oracle  and 
UDigit  to  assist  with  the  project  management, 
systems  development  and  implementation  of  the 
new  system.  The  University  established  a  budget 
of  $22  million,  and  plans  to  implement  it  in  the 
following  phases: 


Finance  Wave  1  (accounting3) 

July  2010- 
implemented 

Campus  Solutions  Wave  1  (student  records) 

October  2010 

Finance  Wave  2  (budget,  asset  management) 

January  2011 

Human  Resources  (payroll  &  HR) 

January  2011 

Campus  Solutions  Wave  2  (student  financial) 

July  2011 

Table  1 :  Project  phases 


In  addition  to  the  PeopleSoft  tools  being 
implemented,  the  University  also  plans  to 
standardize  business  processes  and  enhance  self 
service  offerings  for  students  and  employees. 


2  Finance  Wave  1  included  general  ledger,  payables, 
receivables,  procurement  and  expense  claims. 

3  management  is  an  approach  used  to  define  and  group  a 
project's  work  elements  (or  tasks)  in  a  way  that  helps  to 
organize  and  define  the  total  work  scope  of  the  project. 


Findings  and  recommendations 


Governance  and  project  management 
for  the  ERP  system 
Our  audit  findings 

The  University  has  implemented  effective 

IT  governance  and  project  management  standards, 

policies  and  processes  for  the  project.  The 

University: 

established  a  project  steering  committee 
consisting  of  senior  and  executive 
management — The  committee  is  providing 
effective  project  oversight  and  decisions  for  all 
project  plans  and  implementation  strategies, 
ensuring  that  the  University  is  prepared  and 
ready  for  the  implementation  of  each  project 
phase. 

implemented  effective  project  management 
standards,  policies  and  processes — The  project 
management  office  established  and  enforces 
standards  and  processes  for  the  project.  This 
includes  project  financial  controls  to  analyze 
project  work-breakdown  structure3  tasks  and 
accomplishments  against  budget.  These  help 
ensure  that  project  plans  are  kept  current  and 
accurate,  and  if  adjustments  in  timeline,  scope 
or  funding  are  required,  that  the  necessary 
steps  are  taken  to  avoid  the  risk  of  project 
failure  (over  budget,  late  or  does  not  meet 
users  needs). 

implemented  effective  project  change  request 
controls — The  University  properly  documents 
required  changes  to  schedule,  scope  or 
funding,  assesses  its  impacts  and  risks  and 
the  project  steering  committee  approves  any 
changes. 

provided  accurate  and  timely  project  status 
reporting  "governance  feedback"  to  the  Project 
Steering  Committee  and  the  Finance  and  Audit 
Committee  on  project  status,  financials,  and 
risks  and  issues  to  achieving  stated  project 
objectives 

Systems  to  convert  financial  data  and 

information  to  the  new  system  

Our  audit  findings  

The  University  has  developed  an  effective  data 
conversion  strategy  to  migrate  financial  data  from 
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the  old  Colleague  financial  system  (and  other 
smaller  financial  systems  or  databases)  to  the 
new  PeopleSoft  system.  This  strategy  included 
developing  data  migration,  data  cleansing  and 
reconciliation  procedures  to  verify  the  accuracy 
of  the  data  conversion  activities  for  the  Finance 
Wave  1  phase.  The  Steering  Committee  worked 
with  the  University's  Finance  department  to 
oversee  and  approve  the  data  conversion  and 
implementation  of  the  Finance  Wave  1  phase. 
It  followed  these  processes  when  converting 
certain  financial  information  and  investigated 
and  resolved  any  issues.  The  University  plans  to 
transfer  the  closing  balances  to  the  new  system 
after  we  complete  the  audit  of  the  University's 
June  30,  2010  financial  statements.  We  will  assess 
the  completeness  and  accuracy  of  this  transfer  in 
the  fall. 

The  University  is  developing  data  conversion  plans 
and  strategies  for  the  human  resources,  campus 
solutions  and  second  finance  phases.  We  will 
review  these  in  future  to  ensure  they  are  effective 
to  accurately  convert  data  to  the  new  system. 

Systems  to  implement  well-designed 
business  processes 
Our  audit  findings 

The  University,  with  the  support  of  the  Board 
of  Governors,  has  adopted  the  strategy  of 
implementing  the  new  PeopleSoft  ERP  system 
"out  of  the  box,"4  with  minimal  to  no  software 
changes  where  possible.  This  approach  will  help 
the  University  to  take  advantage  of  system  features 
and  related  business  processes  and  controls  and 
to  lower  ongoing  IT  maintenance  efforts  and  costs 
to  support  the  new  PeopleSoft  system  after  its 
implementation.  Management  indicated  they  have 
experienced  immediate  improvements  from  the 
implementation  of  Finance  Wave  1 .  For  example, 
transactions  from  other  systems,  such  as  the 
bookstore  and  residence  systems  are  electronically 
transferred  to  the  PeopleSoft  system,  thereby 
eliminating  the  need  for  duplicate  entries. 

4     Implement  the  acquired/purchased  system  as  is,  without 
making  considerable  software  changes  or  extensions 


While  the  University  uses  many  processes  and 
controls  within  the  system,  it  is  still  reviewing  the 
organizational  structure  of  the  finance  department 
and  finalizing  the  implementation  of  manual 
processes  and  controls  required  to  maintain  the 
system.  We  will  review  the  implementation  of  the 
new  business  processes  and  controls  throughout 
the  University  in  future  after  the  University  has 
implemented  the  manual  processes  and  controls, 
and  academic  departments  have  implemented  the 
business  processes  and  controls. 

The  University  held  numerous  training  sessions 
for  staff  on  the  new  system  features  for  Finance 
Wave  1  and  related  business  processes.  A 
self-study  module  is  also  available  in  PeopleSoft 
to  assist  with  training.  In  July,  there  were  over 
100  calls  to  the  University's  IT  help-desk  related 
to  questions  on  using  the  new  system  features; 
however,  the  majority  of  these  calls  were  minor 
inquiries  related  to  system  navigation  and  security 
privileges.  The  project  team  is  taking  steps 
to  improve  its  training  sessions  based  on  the 
help-desk  activity  and  will  offer  more  sessions  to 
train  staff  returning  in  September. 

The  University  implemented  system  security  using 
a  role-based  approach  to  ensure  that  staff  can 
only  perform  system  functions  that  are  required  for 
their  job  function.  The  system  security  roles  will  be 
automatically  linked  to  the  human  resource  system, 
once  implemented.  For  example,  the  system 
will  automatically  remove  an  employee's  access 
when  they  are  no  longer  employed.  Until  then, 
the  finance  department  will  control  and  monitor 
changes  to  system  security 

Quality  assurance  program  for  the  ERP 

project — implemented 

Background 

This  project  will  have  a  considerable  effect  on  the 
operations  of  the  University;  it  will  also  require 
significant  monetary  investment.  Therefore,  the 
University  needs  to  ensure  that  all  project  parties, 
including  contracted  vendors,  are  delivering 
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high-quality  solutions  to  meet  the  University's 
needs. 

In  our  April  2010  Report  (no.  1 9— page  1 78),  we 
recommended  that  Grant  MacEwan  University 
develop  and  implement  a  quality  assurance 
program  for  its  enterprise  resource  planning 
project.  A  quality  assurance  program  gives  the 
oversight  committee  assurance  that  an  entity's 
standards  and  controls,  which  ensure  systems 
are  implemented  on  time,  on  budget,  and  meets 
users'  needs,  are  well  designed  and  adhered  to 
throughout  the  project's  life. 


Our  audit  findings 


the  University  did  not  yet  have  an  internal  auditor5 
to  provide  independent  oversight  of  the  quality 
assurance  review.  To  resolve  this,  the  University's 
Chief  Information  Officer: 

hired  an  independent  consultant,  who  defined 
the  scope  and  performed  the  quality  assurance 
reviews  without  interference  from  University 
management 

assigned  an  IT  manager  who  was  not  directly 
involved  in  the  project,  to  coordinate  and 
oversee  the  review  activities,  assisting  the 
quality  assurance  reviewer  with  access  to 
project  materials  and  staff  to  interview 
provided  the  complete  review  results  to  project 
team  leadership,  who  in  turn  reported  the 
results  to  the  steering  committee,  executive 
management  and  the  Audit  and  Finance 
Committee,  without  changes  or  omissions 

We  confirm  that  the  University  did  make  best 
efforts  to  ensure  that  the  quality  assurance  process 
was  performed  as  an  independent  review,  without 
influence  or  interference  from  management  to 
direct  the  scope  or  modify  the  results  of  the  reviews 
completed  so  far.  The  University  resolved  this 
independence  matter  by  hiring  an  internal  auditor 
and  transferring  the  oversight  and  management  of 
the  quality  assurance  review  from  the  CIO  to  the 
internal  audit  team. 

Although  the  focus  for  the  quality  assurance 
reviews  have  been  on  project  governance  and 
management  controls,  it  is  expected  that,  with  the 
transfer  of  ownership  to  internal  audit,  future  quality 
assurance  review  scope  will  focus  more  on  the  risk 
management  of  business  readiness  and  business 
transformation  activities. 


The  University  has  established  a  quality  assurance 
program  for  the  project.  In  February  2010,  the 
University  hired  an  external  contractor  to  assess 
the  effectiveness  of  project  management  and 
governance  controls.  The  review  identified  minor 
issues  with  project  team  resource  constraints,  team 
structure,  risk  management,  change  management 
controls  and  the  need  for  a  sustainment  strategy. 
The  University  reported  the  results  to  the  Steering 
Committee,  Audit  and  Finance  Committee 
(summarized  with  project  status)  and  executive 
management,  with  action  plans  identified.  The 
project  team  has  resolved  these  issues. 

The  second  review,  in  June  2010,  assessed  the 
University's  readiness  to  go  live  with  Finance 
Wave  1 .  It  also  identified  project  issues  with  the 
schedule  and  scope  related  to  the  development 
efforts  for  the  Campus  Solutions  Wave  1  and 
Finance  Wave  2  project  phases.  The  University  is 
currently  resolving  these  issues. 

The  University  expects  to  complete  at  least 
five  reviews,  but  more  reviews  may  be  needed 
depending  on  the  results. 

Reviewer  independence 
For  a  quality  assurance  process  to  be  effective,  it 
should  be  independent.  An  independent  reviewer 
can  provide  an  objective  review  and  minimize 
the  risk  of  misleading  results.  When  the  quality 
assurance  review  process  began  in  February  2010, 


5     Internal  audit  performs  its  audit  duties  independent  of 
management's  responsibility,  without  interference  or 
pressure  from  management  on  the  audit  approach  or 
results. 
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Summary 


Young  Albertans  receive  child  care  services 
from  various  programs  across  the  province.  The 
Department  of  Children  and  Youth  Services — 
through  the  Statutory  Director  for  Child  Care  and 
ten  regional  Child  and  Family  Services  Authorities 
(Authorities)  monitors  child  care  programs  for 
compliance  with  legislation,  regulations,  and 
standards  on  behalf  of  the  Minister.  The  goal  is 
to  provide  "continuous  improvement  of  child  care 
programs  through  standards  and  monitoring  to 
promote  the  safety  and  well-being  of  children  aged 
zero  to  12."1 

In  May  2008,  the  Minister  of  Children  and  Youth 
Services  announced  the  Creating  Child  Care 
Choices  (the  Plan).2  One  target  of  the  Plan  was  to 
create  14,000  new  child  care  spaces  over  three 
years,  an  approximate  25%  increase.  Other  Plan 
elements  included  increased  accreditation  funding, 
grants  and  scholarships  for  staff  and  providers,  and 
subsidies  for  low  income  parents.  The  Department 
and  Authorities  continue  to  monitor  existing  child 
care  programs,3  and  enforce  compliance  with 
applicable  statutory  requirements  and  standards, 
during  implementation  of  the  Plan. 

What  we  examined 

To  assess  if  the  increase  in  child  care  spaces 
compromised  existing  program  delivery,  we  audited 
the  design  and  operation  of  systems  to  monitor  and 
enforce  compliance  with  applicable  requirements 
for  child  care  programs.  Our  audit  procedures 
included  reviewing  relevant  legislation,  standards, 
policies  and  procedures,  interviewing  senior  staff 
at  the  Department  and  five  Authorities,  shadowing 
licensing  officers  as  they  inspected  programs, 
reviewing  inspection  reports,  and  examining  the 
Department's  Child  Care  Information  System 

1  Ministry  Strategic  Framework  for  Creating  Child  Care 
Choices  in  Alberta — Goal  1 

2  http://www.child.alberta.ca/home/1102.cfm 

3  Licensed  programs  under  the  Child  Care  Licensing  Act. 
and  approved  family  day  home  programs 


(CCIS).'1  We  did  not  audit  processes  to  license  child 
care  programs  or  approve  family  day  homes. 

Why  this  is  important  to  Albertans 

Children  who  have  good  quality  care  in  their  early 
years  are  more  likely  to  be  engaged  learners  and 
more  likely,  as  adults,  to  be  independent,  stable 
and  productive  citizens  in  their  communities.5  To 
ensure  that  Albertans  receive  high  quality  child 
care,  the  Department  must  have  systems  to  provide 
safe,  accessible,  quality  child  care  programs. 

The  Child  Care  Licensing  Act,  the  Child  Care 
Licensing  Regulation  (Statutory  Requirements), 
and  standards  govern  licensed  or  approved  child 
care  programs.  With  compliance,  it  is  reasonable 
to  expect  children  will  be  safe  and  well  cared  for. 
However,  no  system  can  absolutely  guarantee 
the  safety  of  all  children  at  all  times,  whether 
under  government  inspected  care  or  not.  The 
unpredictable  nature  of  human  behaviour  has 
caused  tragedies  in  the  best  designed  and 
operating  systems.  But  risks  can  be  mitigated  by 
ensuring  that  monitoring  and  enforcement  activities 
are  understood,  well-documented,  and  consistently 
applied.  Otherwise,  the  Department,  Authorities 
and  parents  cannot  be  sure  child  care  is  being 
delivered  as  intended. 

What  we  found 

The  Department  and  Authorities  have  systems 
in  place  for  monitoring  and  enforcing  compliance 
with  Statutory  Requirements  and  standards, 
notwithstanding  the  increased  spaces  established 
under  the  Plan.  However,  improvements  are 
needed  in  documenting  Authorities'  monitoring 
results,  including  enforcement  action  taken  to 
remedy  non-compliance.  Without  improving 
documentation  processes,  the  system  will  not 
operate  as  intended. 


4  CCIS  is  an  automated  information  system  maintained  by 
the  Department. 

5  Ministry  Strategic  Framework  for  Creating  Child  Care 
Choices  in  Alberta 
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What  needs  to  be  done 

Enforcement  action  can  vary  depending  on  the 
severity  of  non-compliance.  A  verbal  warning 
may  be  appropriate  for  low-risk  non-compliance. 
However,  higher  risk  non-compliance  may  result  in 
an  "Order  to  Remedy",  or  even  suspension  of  the 
child  care  provider's  license.  Although  follow-up 
action  on  higher  risk  non-compliance  was  well 
documented  and  carried  out  promptly,  we  found 
verbal  warnings  were  not  well  documented,  making 
it  difficult  to  determine  if  the  appropriate  action  was 
taken.  We  therefore  recommend  that: 

The  Department  and  Authorities  review 
documentation  and  training  requirements  for 
monitoring  processes — see  page  36 
Authorities  adhere  to  established  policies  and 
processes,  including  using  the  risk  assessment 
framework — see  page  38 
Authorities  better  document  verbal  warnings 
and  their  prompt  resolution — see  page  39 


Audit  objective  and  scope 


Our  audit  objectives 

We  assessed  if: 

Department  and  Authority  systems  to  monitor 
and  enforce  Statutory  Requirements  effectively 
accommodated  an  increase  in  child  care 
spaces  without  compromising  existing  program 
delivery. 

The  Department  communicated  Statutory 

Requirements,  and  relevant  policies  and 

procedures,  to  Authorities. 

The  Authorities  have  effective  and 

well-designed  systems,  operating  as  intended, 

to: 

Communicate  operating  and  monitoring 
Statutory  Requirements  to  licensed 
programs,  family  day  home  agencies,6  and 
approved  day  home  providers. 
Monitor,  assess  and  resolve 
non-compliance  with  Statutory 
Requirements. 

6     Family  day  home  agencies  are  contracted  service 
providers  responsible  for  monitoring  approved  family 
day  homes,  and  enforcing  compliance  with  operating 
requirements  and  standards  under  agreement  with  an 
Authority. 

34 


Our  audit  scope 

We  examined  the: 

Roles  and  responsibilities  of  the  Department, 
Authorities,  and  contracted  family  day  home 
agencies  (Agencies),  licensed  child  care 
programs,  and  approved  day  home  service 
providers. 

Systems  that  the  Department  and  Authorities 
use  to  monitor  compliance  with  Statutory 
Requirements. 

Systems  that  Authorities  use  to  resolve 
non-compliance 

We  did  not  audit  financial  transactions  between 
any  involved  parties,  nor  did  we  examine  the 
accreditation  process,  which  is  not  a  statutory 
requirement.  We  did  not  audit  processes  to  license 
child  care  programs  or  approve  family  day  homes. 

We  performed  our  audit  fieldwork  between  May 
and  July  2010,  examining  practices  and  results 
between  May  2008  and  July  2010.  We  visited 
five  of  the  10  Authorities  and  the  Department's 
corporate  office  in  Edmonton — interviewing  senior 
management,  shadowing  licensing  officers  on 
program  inspections,  reviewing  documentation 
from  inspections  and  corresponding  computer 
records,  and  analyzing  a  computer  record  of  all 
inspections  during  the  2009-2010  fiscal  year. 


Background 


Definitions 
Child  care7 

The  temporary  care  and  supervision  of  a  child8 
by  an  individual  other  than  the  child's  parent  or 
guardian,  but  does  not  include  residential  care. 

Licensed  child  care  programs9 
A  program  with  the  primary  purpose  of  providing 
child  care  to  seven  or  more  children,  but  does  not 
include  the  following: 

An  education  program  provided  under  the 

School  Act; 

7  Child  Care  Licensing  Act,  Section  1 

8  Ibid,  -a  child  under  the  age  of  13  years,  or  a  child  of  13  or 
14  years  of  age  who  because  of  a  special  need  requires 
child  care. 

9  Child  Care  Licensing  Act,  Section  1 
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a  day  camp,  vacation  camp  or  other 
recreational  program  that  operates  for  less  than 
12  consecutive  weeks; 

supervision  of  children  at  a  recreational  facility, 
retail  centre  or  other  commercial  establishment 
where  the  parents  of  the  children  remain  on  the 
premises  and  are  readily  available. 

Approved  family  day  homes10 
Family  day  home  services  provide  child  care  to  six 
or  fewer  children  in  accordance  with  the  Family 
Day  Home  Standards  Manual  "  which  contains 
minimum  Ministry  standards  for  operating  an 
approved  family  day  home  service  for  the  purpose 
of  providing  child  care  to  children.  Authorities 
contract  with  agencies  to  administer  a  family  day 
home  service,  which  includes: 

provider  recruitment,  approval,  training  and 

monitoring 

assistance  to  parents  with  choosing  a  home 
enrolment  and  placement  of  children  in  homes 
collection  of  parent's  fees  and  payment  of 
providers 

Accreditation12 

The  Alberta  Child  Care  Accreditation  Program 
is  a  voluntary  process  that  allows  licensed  day 
care  programs  and  contracted  family  day  home 
agencies  to  demonstrate  that  they  exceed  Statutory 
Requirements.  The  emphasis  is  on  staff  practice, 
outcomes  for  children  and  families  and  continuous 
improvement.  At  March  31 ,  201 0,  approximately 
80%  of  day  care  and  family  day  home  agencies 
were  accredited. 

To  become  accredited,  a  program  must: 
evaluate  itself  against  the  accreditation 
standards, 

determine  areas  for  improvement  and  put  in 
place  a  work  plan  to  implement  the  identified 
improvements, 


request  a  site  visit  from  the  accreditation 
agency  when  the  work  plan  is  complete,  and 
submit  an  annual  report  once  accredited. 

Accreditation  must  be  renewed  every  three  years. 

The  Ministry  provides  funding  for  toys  and 
equipment,  wage  top-ups  for  child  care  staff  and 
training  grants  for  programs  who  participate  in 
accreditation.  The  rates  differ  depending  on  the 
accreditation  status  of  the  program. 

Monitoring  and  enforcement 
Licensed  programs 
Licensed  program  operators  are  governed  by 
Statutory  Requirements.  Authority  staff  monitor 
licensed  programs  and  enforce  compliance  with 
applicable  operating  requirements.  The  Department 
has  also  developed  policies  and  procedures  to 
guide  Authorities  in  carrying  out  their  monitoring 
and  enforcement  activities  for  licensed  programs. 

Authorities'  licensing  officers  inspect  these 
programs  at  least  twice  a  year  and  inspect  in 
response  to  complaints  and  program  reported 
critical  incidences  such  as  child  injury.  If  a  program 
is  not  complying  with  regulatory  requirements, 
through  delegation  from  the  Statutory  Director  for 
Child  Care,  a  licensing  officer  may:13 

issue  a  verbal  warning  to  correct 

non-compliance 

issue  an  order  to  remedy  non-compliance 

impose  conditions  on  a  license 

vary  a  provision  of  a  license 

suspend  a  license  and  issue  a  probationary 

license 

cancel  a  license 

Enforcement  action  will  vary  depending  on 
the  severity  of  the  non-compliance.  Low  risk 
non-compliance  may  warrant  more  serious 


10  Subject  to  monitoring  and  enforcement  by  agencies  who 
carry  out  oversight  of  approved  family  day  home  programs 
on  behalf  of  Authorities  pursuant  to  contract. 

11  See  http://www.child.alberta.ca/home/documents/childcare/ 
Final_Client_Copy-FDH_Standards_Manual.pdf 

1 2  See  http://www.aelcs.ca/  for  further  information  on  the 
Alberta  Association  for  the  Accreditation  of  Early  Learning 
and  Care  Services. 


enforcement  action  if  frequently  repeated 
or  identified  as  part  of  a  pattern  of  ignoring 
requirements. 


1 3    Child  Care  Licensing  Act,  Sections  11-15 
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Licensing  officers  will  investigate  if  they  learn  that 
a  child  care  program  is  operating  without  a  license. 
They  may  enter  the  premises  and  order  an  illegal, 
unlicensed  child  care  program  to  stop  operating.  If 
the  provider  does  not  stop,  an  Authority  can  seek  a 
court  order  to  force  them  to  stop. 

Approved  family  day  homes 
Approved  family  day  home  services  are  subject  to 
oversight  by  Agencies  contracted  by  Authorities 
to  carry  out  monitoring  and  enforcement  activities 
on  their  behalf.  Agencies  monitor  these  programs 
and  enforce  compliance  with  standards.14  Agencies 
must  visit  each  of  their  day  homes  six  times  a 
year  to  ensure  they  meet  standards.  Agencies 
are  subject  to  oversight  by  the  Authority,  and 
standards  require  Authorities  to  visit  each  Agency 
at  least  annually  to  ensure  the  Agency  is  fulfilling  its 
contracted  obligations  with  the  Authority.  Monitoring 
of  Agencies  by  Authorities  includes  reviewing 
Agency  records,  and  visiting  10%  of  the  homes 
overseen  by  the  Agency. 

Standards  for  Agencies  govern  staffing, 
caseloads  and  monitoring,  criminal  record  checks, 
recruitment  of  family  day  home  providers,  support 
for  family  day  home  providers,  Agency  policy, 
services  for  parents,  and  critical  incident  reporting. 

Standards  for  approved  family  day  homes 

govern  insurance  coverage,  children's  information 
records,  portable  emergency  information  records, 
provider  accommodations,  transportation  and 
outings,  number  and  ages  of  children,  child  care 
program,  child  supervision,  child  guidance,  health 
and  safety,  smoking,  meals  and  snacks. 

The  Creating  Child  Care  Choices  plan 

Alberta  announced  Creating  Child  Care  Choices 
(the  Plan)  in  May  2008.  A  goal  was  to  increase  the 
availability  of  child  care  by  creating  14,000  new 
child  care  spaces  (an  approximate  25%  increase) 
in  licensed  and  day  home  programs  over  three 


14    Standards  for  family  day  home  agencies  and  standards 
for  approved  day  homes  should  not  be  confused  with 
accreditation  standards.  The  approved  family  day  home 
program  is  governed  by  the  Family  Day  Home  Standards 
Manual,  previously  cited. 
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years.  It  also  aimed  to  assist  operators  by  providing 
enhanced  funds  for  staffing,  and  to  assist  low 
income  parents  with  the  cost  of  child  care.  New 
spaces  may  be  created  with  existing  providers, 
or  may  involve  licensing  or  approving  new  child 
care  providers.  In  all  cases,  existing  processes 
for  monitoring  and  enforcing  compliance  will 
apply  to  new  spaces  or  providers  as  the  Plan  is 
implemented. 

Conclusion 

Implementation  of  the  Plan  did  not  compromise 
monitoring  and  enforcement  requirements 
governing  child  care  programs.  Authorities  carry 
out  monitoring  and  enforcement  activities  in 
accordance  with  Statutory  Requirements,  as  well 
as  policies  and  procedures  developed  by  the 
Department. 

However,  the  systems  to  monitor  and  assess 
results,  and  resolve  non-compliance  should  be 
improved.  Under  the  current  monitoring  system, 
there  is  a  risk  that  non-compliance  with  Statutory 
Requirements  or  standards  that  result  in  verbal 
warnings  to  service  providers  may  remain 
unresolved.  Although  verbal  warnings  typify  low-risk 
non-compliance,  failure  to  follow-up  promptly 
increases  the  probability  of  cumulative  negative 
impacts  on  the  health,  safety  and  well-being  of 
children.  We  also  found  monitoring  results  were 
documented  inconsistently.  There  was  often 
insufficient  evidence  of  follow-up  and  enforcement 
steps  taken. 


Findings  and  recommendations 


Documentation  and  training 
Background 

Legislation,  regulations,  and  standards  govern 
Department  and  Authority  systems,  but  child  care 
programs  are  ultimately  carried  out  by  people.  No 
system  can  guarantee  the  safety  of  all  children 
at  all  times;  but  good  systems,  supported  by 
consistent,  well-documented  practices,  can  improve 
the  safety  of  children  in  care  and  the  quality  of  care 
they  receive.  Good  systems  can  also  minimize 
risks  that  children  in  child  care  may  face. 
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Statutory  requirements  govern  such  things  as 
space  per  child,  range  of  equipment,  food  service, 
numbers  and  ages  of  children,  staff-to-child  ratios, 
staff  training,  discipline  and  record  keeping.  The 
five  Authorities  we  visited  had  unique  situations 
affecting  caseloads,  distances  and  community 
dynamics.  They  all  use  the  same  checklists, 
monitor  their  programs  at  the  same  frequency, 
enter  inspection  data  in  CCIS,  and  publicly  post 
inspection  results  at  child  care  programs. 

Licensed  child  care  programs 

Authority  licensing  officers  must  visit  each 
licensed  program  twice  a  year  and  investigate  all 
complaints.  One  of  these  visits  is  scheduled  with 
the  operator,  while  the  other  is  unannounced. 
Inspections  include: 

a  walk-around  of  the  program  facility  to  observe 
staff  interaction  with  children  and  the  condition 
of  equipment  such  as  toys  and  cribs 
calculation  of  staff-to-child  ratios  and  physical 
space  requirements 

review  of  program  documentation  including: 
posting  of  license,  menus,  and  last 
inspection  report 

child  emergency  contact  information 
medication  instructions  and  consent 
staff  training  levels  and  criminal  record 
checks 

All  licensing  officers  follow  the  same  checklist 
for  their  inspections  of  licensed  programs.  The 
checklist  covers  operational  functions  of  the  Child 
Care  Licensing  Regulation,  such  as  administering 
medicine  or  conducting  emergency  evacuations. 
Licensing  officers  may  not  be  able  to  directly 
observe  some  functions  during  their  visit.  In  these 
cases,  the  officer  can  mark  "not  observed"  on  the 
applicable  checklist. 

Approved  family  day  homes 
Authority  staff  schedule  reviews  of  each  Agency, 
and  10%  of  the  homes  the  Agency  oversees  at 
least  annually,  to  ensure  they  are  monitoring 
providers,  and  enforcing  compliance  in  accordance 
with  their  agreement  with  the  Authority.  Authority 
staff  must  also  investigate  all  Agency  reported 


critical  incidents  that  are  reported  to  it.  Licensing 
officers  all  use  the  same  checklists  to  inspect 
approved  day  homes.  The  checklists  cover  every 
item  in  the  Family  Day  Home  Standards  for 
Agencies  and  Homes. 

Checklists  for  an  Agency's  inspection  of  approved 
day  homes  do  not  include  a  "not  observed" 
option.  Instead,  Agency  staff  cross  check  on-site 
observations  with  documentation  that  may  provide 
evidence  of  compliance,  such  as  provider  files. 


Recommendation:  documentation  and 
training 


RECOMMENDATION 


We  recommend  that  the  Department  of 
Children  and  Youth  Services,  working  with  the 
Child  and  Family  Services  Authorities,  review 
documentation  and  training  requirements  for 
monitoring  licensed  and  approved  programs  to 
ensure  requirements  are  being  met. 


Criteria:  the  standards  for  our  audit 

Department  systems  should  clearly  communicate 
licensing  and  inspections  standards  and  ensure 
regulatory  requirements  are  met. 


Our  audit  findings 


Key  Points 


•  Inconsistent  documentation  by  licensing  officers 
across  Authorities 

•  Obtaining  sufficient  supporting  or  corroborative 
evidence  would  improve  the  quality  and 
consistency  of  monitoring 

Licensed  programs 

In  the  majority  of  cases  we  reviewed,  when  the  "not 
observed"  choice  was  available,  it  was  used.  We 
saw  inconsistencies  between  Authorities'  licensing 
officers  in  documenting  "not  observed"  items.  Some 
officers  simply  checked  off  the  "not  observed", 
while  others  noted  that  they  had  reviewed  the 
operator's  plan  for  the  action.  For  example,  when 
documenting  evidence  of  compliance  with  the 
"administering  medicine"  requirements,  some 
officers  wrote  that  they  observed  that  the  provider 
had  identified  which  children  needed  it,  saw  the 
parental  consent  and  instructions  for  administering 
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it,  and  observed  how  it  was  stored.  These 
observations  gave  assurance  that  the  operator  was 
managing  the  administration  of  medication  properly, 
without  the  officer  actually  seeing  the  medicine 
administered.  While  the  "not  observed"  choice 
may  be  appropriate  and  practical  under  some 
circumstances,  guidance  on  obtaining  sufficient 
supporting  or  corroborative  evidence  without 
direct  observation  would  improve  the  quality  and 
consistency  of  monitoring. 

Authorities  record  enforcement  actions  in  CCIS, 
link  it  to  the  corresponding  regulation,  and  do 
some  analysis  of  that  data.  However,  more  detailed 
trend  analysis  of  this  data  may  reveal  the  location, 
timing,  and  types  of  non-compliance,  as  well 
as  help  in  planning  future  monitoring  or  training 
actions.  For  example,  in  our  sample,  we  identified 
a  pattern  across  Alberta  of  non-compliance  with  a 
requirement  for  maintaining  portable  emergency 
records.  This  could  indicate  a  need  for  training  or 
stricter  enforcement  action  in  this  area. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  adequately  documenting  the  results  of 
monitoring  and  enforcement  activities,  Authorities 
and  the  Department  cannot  demonstrate  that  child 
care  programs  meet  Statutory  Requirements  or 
applicable  standards. 

Authority  adherence  to  monitoring  and 
enforcement  policies  and  processes 
Background 

Licensing  officers  use  professional  judgement 
when  assessing  program  compliance.  To  help  them 
do  so  consistently,  the  Department  has  developed 
detailed  policies  and  procedures  that  Authorities 
must  follow.  As  well,  the  Department  has  developed 
a  Risk  Assessment  Framework  to  assist  decision- 
making by  determining  the  degree  of  risk  that  a 
non-compliance  poses  to  the  safety  and  well-being 
of  children  in  a  program.  Use  of  this  Framework  is 
a  policy  requirement.15 

1 5    Policy  was  implemented  effective  November  1 ,  2008. 
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The  Framework  measures  non-compliance 
against  two  criteria:  the  consequence  of  the 
non-compliance  and  the  likelihood  of  that 
consequence  taking  place.  A  risk  score  is  the 
product  of  the  consequence  and  likelihood  scores. 
Licensing  officers  can  use  the  risk  score  to  decide 
on  enforcement  actions,  with  higher  scores  calling 
for  more  severe  enforcement.  Officers  can  also  use 
the  Framework  to  assess  the  cumulative  impact  of 
several  non-compliances  within  one  program. 

Inspection  checklists  have  space  for  licensing 
officers  to  write  comments  and  expand  on  evidence 
they  gather  in  inspections.  Inspectors  can  also  add 
documentation  to  files. 


Recommendation:  improve  consistency  of 
monitoring 


RECOMMENDATION 


We  recommend  that  Child  and  Family  Services 
Authorities  improve  systems  to  ensure  their 
consistent  compliance  with  monitoring  and 
enforcement  policies  and  processes. 


Criteria:  the  standards  for  our  audit 

Department  systems  should  ensure  consistent 
service  delivery  across  the  province.  Authority 
systems  should  apply  enforcement  measures, 
including  monitoring  practices,  consistently  and 
effectively. 


Our  audit  findings 


Key  Point 


Our  review  showed  inconsistencies  in  how 
Authority  staff  documented  their  decision-making 
process  to  apply  an  appropriate  level  of 
enforcement 

Although  use  of  the  Risk  Assessment  Framework 
is  a  policy  requirement,  it  is  not  being  used 
consistently.  In  the  sample  we  reviewed,  we 
found  evidence  that  its  use  was  documented 
in  only  one  case.  We  also  found  a  broad  range 
of  compliance  rates  across  Authorities.  This 
range  may  have  resulted  from  inconsistent  use 
of  the  Risk  Assessment  Framework,  differing 
application  of  professional  judgement,  inspection 
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techniques,  record  keeping  practices,  attitudes 
toward  enforcement,  regional  dynamics  or  some 
combination  thereof.  But  without  adequate 
documentary  support  for  enforcement  actions 
taken,  it's  difficult  to  know  the  reason  for  these 
variances. 

Our  review  of  both  licensed  programs  and 
approved  family  day  home  inspection  files  showed 
inconsistencies  in  how  Authority  staff  documented 
their  decision-making  process  to  apply  an 
appropriate  level  of  enforcement.  Some  officers 
did  not  include  comments,  summaries  or  risk 
assessments  in  the  file;  others  document  evidence 
for  all  findings. 

Implications  and  risks  if  recommendation 
not  implemented 

Without  consistent  processes,  including 
adequate  documentation  of  monitoring  results 
and  enforcement  steps,  the  Department  and 
Authorities  cannot  demonstrate  that  monitoring 
and  enforcement  activities  are  appropriately  and 
consistently  ensuring  compliance  with  Statutory 
Requirements  and  the  department's  policies  and 
procedures. 

Verbal  warnings 
Background 

Licensed  programs 

Authority  licensing  officers  inspect  programs  twice 
a  year.  They  indicate  non-compliance  cases  on  an 
inspection  checklist,  and  post  a  copy  of  it  at  the 
program  site.  Inspection  results  are  also  entered 
into  the  CCIS  information  system,  along  with 
enforcement  actions  and  follow-up  dates. 

Licensing  officers  use  two  primary  enforcement 
tools,  depending  on  the  severity  of  non-compliance: 
a  verbal  warning  or  an  "Order  to  Remedy".  For 
both  warnings  and  orders,  the  officer  sets  a  time 
to  follow  up  on  results.  More  severe  enforcement 
actions  include  placing  conditions  on  the  license, 
issuing  a  probationary  license,  or  cancelling  a 
license.  These  actions  involve  consulting  with 


Authority  supervisors  and  Department  staff,  as  the 
case  requires. 

Approved  family  day  homes 
Authority  staff  visit  each  family  day  home  Agency 
at  least  annually.  The  visit  has  two  parts:  a 
review  of  the  day  home  Agency  operations  and 
a  visit  to  1 0%  of  the  homes  run  by  the  Agency. 
Non-compliance  cases  are  indicated  on  an 
inspection  checklist  and  left  with  the  Agency.  The 
Agency  is  required  under  contract  to  correct  any 
non-compliance  found  in  approved  family  day 
homes.  Authority  staff  discuss  any  non-compliance 
at  agencies  with  the  Agency  operator  and  require 
the  Agency  to  provide  written  notification  that  the 
areas  of  concern  have  been  corrected. 

Recommendation:  improve  follow-up 
processes 


RECOMMENDATION  NO.  3 


We  recommend  that  Child  and  Family  Services 
Authorities  improve  systems  for  monitoring 
and  enforcing  child  care  program  compliance 
with  statutory  requirements  and  standards  by 
ensuring  that  all  verbal  warnings  are  adequately 
documented  and  resolved. 

Criteria:  the  standards  for  our  audit 

Authorities  should  promptly  resolve  non-compliance 
with  regulatory  requirements  and  standards. 

Our  audit  findings 

We  could  not  determine  if  all  the  verbal  warnings 
were  followed-up  and  remedial  actions  taken, 
because  the  necessary  documentation  was  lacking 

Licensed  programs 
In  the  files  we  reviewed,  licensing  officers 
issued  verbal  warnings  to  correct  most  low-risk 
non-compliance  problems  they  observed.  A  verbal 
warning  is  the  first  enforcement  action  available. 

Although  follow-up  action  on  "Orders  to  Remedy", 
the  next,  more  formal  enforcement  action  after 
a  verbal  warning,  were  well  documented  and 
carried  out  promptly,  we  could  not  determine  if 
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all  the  verbal  warnings  were  followed-up  and 
remedial  actions  taken,  because  the  necessary 
documentation  was  lacking.  Without  documentation 
outlining  how  and  when  compliance  is  to  be 
achieved,  and  confirmation  it  has  been  resolved, 
supervisors,  reviewers,  and  subsequent  officers 
cannot  conclude  on  program  compliance. 

Factors  such  as  distance,  caseload  and  seemingly 
low-risk  non-compliance  may  lead  an  officer  to 
wait  several  months  to  follow-up.  For  example,  in  a 
rural  Authority,  an  officer  may  find  that  a  child's  file 
had  incomplete  contact  information.  Perhaps  the 
officer  had  driven  three  hours  to  the  program  and 
three  hours  back  and  would  have  to  do  so  again  to 
confirm  the  information  has  been  recorded.  Instead, 
the  officer  may  decide  to  wait  for  the  next  regular 
inspection.  In  these  cases,  the  officer  could  require 
the  operator  to  fax  or  email  satisfactory  evidence 
of  compliance  by  a  certain  date  and  document  the 
compliance  in  the  file.  We  saw  limited  evidence  of 
this  approach  to  non-compliance  resolution. 

Approved  family  day  homes 
Agencies  are  responsible  for  enforcing  family  day 
home  compliance  with  standards.  Resolution  of 
non-compliance  cases  was  difficult  to  determine 
because  documentation  was  often  lacking. 

Authority  staff  monitor  to  ensure  Agencies  are 
carrying  out  their  responsibilities  in  accordance  with 
their  contractual  arrangement.  Non-compliance 
by  an  Agency  is  communicated  to  and  resolved 
with  Agency  management.  The  Authority  may  also 
terminate  the  Agency  contract  in  accordance  with 
the  terms  of  the  contract,  if  circumstances  warrant. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  documentation  outlining  how  and  when 
non-compliance  is  to  be  resolved  and  confirming 
resolution,  Authorities  cannot  ensure  that  Agencies 
are  monitoring  and  enforcing  approved  family  day 
home  compliance. 

Without  prompt  follow-up  on  non-compliance, 
service  providers  may  not  take  the  necessary 


corrective  actions  or  change  their  behaviour. 
Consistent  failure  to  correct  areas  of  seemingly 
low-risk  non-compliance  increases  the  probability 
of  negative  impacts  on  the  health,  safety  and 
well-being  of  children.  For  example,  a  child  care 
provider's  lack  of  contact  information  would  be 
critical  in  an  emergency. 
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Summary 


The  University  of  Calgary  received  $272  million 
of  research  contributions  for  the  year  ended 
March  31,  2010.  The  University  operates  many 
complex  systems  to  manage  its  research  activities. 
This  year,  we  followed  up  on  our  earlier  audits  of 
the  University's  research  management  systems. 

What  we  examined 

In  2004  and  2005,  we  audited  the  University's 
research  management  systems  in  two  phases.  In 
the  first,  our  audit  focused  on  research  planning, 
systems  for  monitoring  research  results,  and  the 
processes  for  planning,  building  and  maintaining 
research  capacity.  In  our  October  2004  Report 
(pages  254-255),  we  made  two  recommendations 
for  the  University  to  improve  its  research 
management  systems. 

For  the  second  phase,  we  expanded  our  audit  to 
concentrate  on  research  roles  and  responsibilities, 
research  policies,  project  proposals,  project 
management,  and  accounting  for  research 
revenues  and  expenditures.  This  audit  led  to  five 
recommendations  in  our  October  2005  Report 
(pages  90-94). 

We  did  this  follow-up  audit  to  assess  if  the 
University  had  implemented  all  seven 
recommendations. 

Why  this  is  important  to  Albertans 

Research  is  an  important  function  of  the  University; 
it  also  accounts  for  25%  of  the  University's 
revenues.  Well-functioning  management  systems 
help  the  University  achieve  value  for  the  money 
spent,  manage  risks  and  meet  research  sponsors' 
requirements.  Such  systems  also  help  the 
University  remain  accountable  for  its  use  of  public 
funds. 


What  we  found 

Given  that  five  years  have  passed  since  our  original 
audits,  it  is  reasonable  to  expect  the  University  to 
have  implemented  all  of  our  recommendations. 
We  found  criteria  for  four  of  the  seven  public 
report  recommendations  remain  unmet.  Despite 
this,  we  also  found  that  the  University  has  made 
positive  changes  in  the  past  two  years  to  deal  with 
significant  business  issues  in  its  decentralized 
control  environment,  including  issues  underlying 
our  audit  recommendations. 

The  common  theme  that  emerged  from  this 
follow-up  audit  was  that  the  University  did  not 
have  complete  documentation  to  show  how  its 
overall  research  business  processes  operate.  Its 
business  processes  were  constantly  changing  and 
fragmented.  Also,  the  roles,  responsibilities  and 
accountabilities  of  staff  who  administer  and  support 
research  were  not  clearly  defined. 

The  University  is  in  the  final  phase  of  a  multi- 
year  business  transformation  project  called 
Innovative  Support  Services  (iS2).  The  iS2  project 
is  intended  to  reshape  the  University's  critical 
internal  control  systems,  improve  service  and 
reduce  administrative  costs.  In  2009,  the  University 
started  a  project  known  as  Institutional  Research 
Information  Services  Solution  (IRISS).  IRISS's  goal 
is  to  streamline  and  automate  business  processes 
for  managing  the  compliance  and  certification  of 
research  projects.  Besides  serving  the  University's 
business  needs,  management  cited  our  audit 
recommendations  and  those  of  research  agencies 
as  primary  factors  in  advancing  the  business 
cases  for  these  projects.  The  two  projects,  if  well 
executed,  should  help  the  University  implement  our 
repeated  recommendations.  For  example,  under  iS2 
clear  roles  and  responsibilities  of  researchers  and 
support  staff  will  be  established  for  administering 
research  funds,  under  the  University's  new 
Financial  Accountability  and  Authority  Framework. 
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What  remains  to  be  done 

To  improve  the  overall  effectiveness  of  its  research 
management  systems,  the  University  must: 
complete  workforce  planning  at  a  research 
function  level,  finish  building  long-term  human 
resource  plans,  and  improve  its  process  to 
understand,  quantify  and  budget  for  indirect 
costs 

define  research  management  roles  and 
responsibilities  at  the  faculty  level  to  establish 
accountabilities  for  key  contributors  toward 
research 

maintain  current  and  comprehensive  research 
policies,  including  processes  to  review  and 
periodically  update  policies,  and  enforce  policy 
compliance 

refine  its  project  management  practices  by 
developing  tools,  such  as  project  status 
reports,  to  enable  principal  investigators  and 
researchers  to  actively  monitor  and  control 
projects,  especially  large,  complex  projects 


Audit  objective  and  scope 


Our  audit  objective  was  to  determine  if  the 
University  had  finished  implementing  the  seven 
recommendations  from  our  October  2004  and 
October  2005  reports.  We  assessed  the  adequacy 
of  management's  actions  using  the  same  criteria 
we  used  in  our  2004  and  2005  audits. 

To  perform  the  audit,  we: 

interviewed  management  and  staff  to  assess 
the  actions  they  took  to  remediate  issues 
stemming  from  the  original  audits 
tested  systems,  new  processes  and  policies  for 
planning  and  monitoring  research  activities 
examined  samples  of  project  files,  project 
proposals,  business  plans  and  other 
institutional  documentation 

We  conducted  our  field  work  from  February  to 
May  2010,  with  a  focus  on  the  University's  actions 
to  remediate  issues  that  led  to  recommendations 
from  our  previous  audits.  We  focused  on  five  of 
the  University's  16  faculties.  These  five  faculties 
(Medicine,  Engineering,  Veterinary  Medicine, 


Education  and  Science)  receive  90%  of  the 
University's  research  funding. 

For  the  follow-up  audit,  we  did  not  assess  if  the 
University  had  adequate  systems  for  complying 
with  unique  requirements  set  by  each  research 
funding  agency.  Also,  we  did  not  evaluate  the 
University's  actions  to  deal  with  recommendations 
stemming  from  research  agencies'  compliance 
audits.  Those  audits  are  designed  to  make  sure 
grant  funds  are  used  in  accordance  with  agencies' 
requirements. 


Background 


The  University  is  a  research-intensive  institution 
with  a  goal  to  grow  its  research  enterprise.  For  the 
year  ended  March  31,  2010,  the  University  received 
$272  million  in  research  contributions,  compared  to 
$247  million  in  2004.  Research  accounts  for  25%  of 
the  total  revenues  of  the  University. 

Research  is  a  difficult  organizational  activity  to 
manage,  by  its  very  nature.  It  is  creative  rather 
than  structured,  unpredictable  rather  than  planned 
and  unknown  rather  than  familiar.  Nevertheless, 
research  management  has  to  acquire  and  allocate 
resources,  choose  among  potential  projects, 
minimize  risks  and  assess  results.  For  our  2004 
and  2005  audits,  drawing  from  authoritative 
sources  and  our  own  experience,  we  developed 
criteria  for  assessing  the  University's  research 
management  systems.  Our  assessment  found  gaps 
that  formed  the  basis  of  our  recommendations  to 
the  University.  Our  follow-up  in  2010  assessed  if 
University  management  had  closed  those  gaps. 

We  delayed  our  follow-up  audit  because  the 
University  is  undertaking  multi-year  projects  to 
re-engineer  its  business  processes  and  improve 
its  internal  control  systems.  We  wanted  to  allow 
enough  time  for  the  University  to  achieve  stability 
in  its  systems  and  solve  the  issues  found  from  our 
audits. 

In  June  2009,  the  University  started  a  multi-year 
project  called  Innovative  Support  Services,  or  iS2. 
This  project  is  designed  to  improve  the  University's 
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support  services,  reduce  service  costs  and  improve 
internal  controls.  Management  expects  to  finish 
the  iS2  project  in  June  2011 .  In  December  2009, 
the  University's  Board  of  Governors  endorsed  a 
Financial  Accountability  and  Authority  Framework. 
This  framework  is  designed  to  provide  clarity  on 
who  is  authorized  to  decide  how  to  spend  money 
and  who  is  accountable  for  delivering  the  results  of 
those  decisions.  Management  is  now  implementing 
this  framework,  which  they  expect  will  have 
wide-ranging  impacts  on  University  operations, 
including  research  administration.  For  example,  the 
framework  will  clarify  the  financial  accountabilities 
of  researchers,  and  staff  who  support  researchers 
will  have  their  roles  clearly  defined  when  the  new 
integrated  service  delivery  model  is  designed  and 
implemented. 


Findings  and  recommendations 


Improving  research  measures  and 
targets — implemented 
Background 

In  our  October  2004  Report  (page  254),  we 
recommended  that  the  University  improve  its 
measures  and  targets  for  assessing  research 
performance  and  systems  for  monitoring  research 
results.  Our  recommendation  stemmed  from  an 
observation  that  the  University  and  its  faculties 
needed  to  develop  consistent  output  and  outcome- 
orientated  performance  measures  and  targets  for 
assessing  and  monitoring  performance.  We  saw 
that  the  University's  Strategic  Research  Plan  did 
not  identify  targets  for  the  measures,  and  that  some 
of  the  measures  and  targets  in  the  University's 
Business  Plan  differed  from  its  Strategic  Research 
Plan  and  the  Annual  Report. 


Criteria:  the  standards  for  our  audit 

The  University  and  faculties  should: 

prepare  research  plans  that  contain  clear 
goals  and  priorities,  consistent  performance 
measures  and  targets,  and  related  resource 
needs 

monitor  research  results  and  compare  them  to 
goals  and  targets 


Our  audit  findings 


Key  Points 


•  University  developed  consistent  research 
performance  measures  and  targets 

•  Research  results  are  monitored 

The  University  implemented  this  recommendation 
by: 

defining  university-level  key  performance 
indicators  and  targets  for  assessing  research 
performance 

empowering  faculties  to  define  specific 
measures  and  targets  for  their  research 
enterprises  and  disciplines,  through  the 
faculty's  strategic  research  plan  and  business 
planning  process 
monitoring  research  results 

We  reviewed  the  business  plans  of  the  University 
and  five  faculties  (Medicine,  Engineering, 
Veterinary  Medicine,  Education  and  Science),  and 
a  draft  University  Strategic  Research  Plan.  We  saw 
that  many  of  the  measures  in  the  faculty  business 
plans  were  consistent  with  the  University's 
Business  Plan.  Also,  the  University  and  faculties 
have  established  targets  for  a  five-year  period. 

The  University's  2009-2013  Business  Plan 
identified  two  research  performance  measures  and 
related  longer  term  targets.  One  measure  ranks  the 
level  of  growth  in  research  income;  the  other  tracks 
success  in  technology  commercialization,  setting 
goals  for  the  number  of  licences  and  disclosures. 
Further  improvements  in  the  2010  operating  cycle 
included  expanded  qualitative  and  quantitative 
measures.  These  were  reflected  in  the  faculty 
2010-2014  business  plans  and  in  the  University's 
2010-2014  Business  Plan.  At  the  time  of  the  audit, 
the  University  had  not  finished  its  2010  annual 
report.  As  a  result,  we  were  unable  to  assess  if 
the  University's  research  measures  in  the  Annual 
Report  are  consistent  with  its  business  plans. 
However,  the  University's  Office  of  Institutional 
Analysis  has  reported  on  the  business  plan 
measures. 

The  University  expects  faculty  business  plans 
to  identify  at  least  10  research  performance 
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measures  with  a  high  degree  of  consistency  with 
the  University  Business  Plan  and  the  Strategic 
Research  Plan.  These  include  the  number  of 
annual  awards  for  excellence,  peer-reviewed 
publications  by  faculty,  and  the  number  of  research 
chairs.  We  saw  evidence  in  the  sampled  plans  that 
faculties  were  following  the  University's  template 
and,  in  some  cases,  faculties  expanded  the 
measures  to  include  factors  that  are  most  relevant 
for  the  success  of  their  faculty. 

The  University's  Board  of  Governors  approved  a 
Strategic  Research  Plan  after  the  conclusion  of  our 
follow-up  audit.  The  plan  established  a  framework 
for  developing  and  reporting  on  improved 
University-level  key  performance  indicators  (also 
called  performance  measures)  under  five  broad 
categories  of  research  excellence: 

innovation  and  advancement  of  knowledge 
impact  on  academic  and  broader  communities 
success  in  dissemination  of  knowledge 
success  in  funding  competitions 
success  in  training,  mentorship  and  support 

The  University  has  designed  and  is  operating 
systems  to  track  and  monitor  these  research 
performance  measures.  For  example,  the 
University's  Office  of  Institutional  Analysis 
maintains  systems  to  report  on  business  plan 
key  performance  indicators  to  the  Board  and  the 
research  community. 

Planning  for  research  capacity — 
recommendation  repeated 
Background 


Recommendation:  improve  human 
resource  plans  and  system  for  cost 
planning  to  quantify  and  budget  for 
indirect  costs 


RECOMMENDATION  NO.  4— REPEATED 


We  again  recommend  that  the  University  of 
Calgary  improve  its  human  resource  plans  and 
develop  a  system  to  quantify  and  budget  for  the 
indirect  costs  of  research. 


Criteria:  the  standards  for  our  audit 

The  University  and  faculties  should  plan  for,  build 

and  maintain  research  capacity. 

Human  resource  plans  should  provide  for 
attracting,  motivating,  rewarding  and  retaining 
the  right  number  and  calibre  of  researchers  to 
accomplish  research  plans  and  should  be  an 
integral  part  of  business  plans. 
Facility  plans  should  provide  for  the  use, 
acquisition  and  development  of  adequate 
space  to  accomplish  research  plans. 
Funding  of  indirect  costs  should  be  adequate. 


Our  audit  findings 


Key  Points 


•  Multi-year  strategic  university-level  workforce 
plan  not  developed 

•  Analysis  of  space  and  space  capacity  plan 
completed 

•  University  assessment  of  indirect  research  costs 
incomplete 

The  University  implemented  the  space  plans 
component  of  the  recommendation.  However, 
criteria  for  substantive  parts  of  the  recommendation 
remain  unmet.  Our  samples  showed  that  faculties 
included  the  workforce  plan  as  an  integral  part  of 
their  research  plans.  The  University  is  currently 
developing  an  integrated  University-level  workforce 
plan.  We  repeat  the  recommendation  because  the 
University  does  not  have  accurate  information  to 
adequately  quantify  and  budget  for  indirect  costs 
and  faculty  research  workforce  plans  are  not  yet 
integrated  with  the  broader  University  workforce 
plan. 


In  our  October  2004  Report  (page  255),  we  made 
a  numbered  recommendation  to  the  University  that 
contained  three  parts: 

improve  human  resource  plans 

improve  space  plans 

develop  a  system  to  quantify  and  budget  for 
indirect  costs  of  research 

We  repeat  the  parts  of  this  recommendation  that 
were  not  implemented. 
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Human  resource  plans  are  an  integral  part 
of  business  plans — This  criterion  was  unmet. 
Given  the  University's  goal  to  increase  its  research 
activity,  our  2004  audit  stressed  that  the  University 
and  faculties  should  develop  a  long-term  human 
resource  plan  to  ensure  that  they  will  have  the 
staff  to  accomplish  their  goals.  Currently,  faculties 
are  responsible  for  human  resource  planning.  The 
University  has  decentralized  the  budget  process, 
making  human  resource  planning  primarily  the 
responsibility  of  deans.  The  Deans  develop  HR 
plans  with  faculty  members  and  then  review  these 
with  the  provost.  The  University's  business  plan  for 
2009-2013  stated  the  development  of  a  multi-year 
strategic  HR  plan  is  a  "work  in  progress."  Faculties 
have  defined  their  workforce  plans  and  the 
University  monitors  the  plans  quarterly. 

While  the  five  faculties  we  reviewed  had  prepared 
workforce  plans,  there  is  no  consolidation  of  these 
plans  into  an  overall  University  workforce  plan. 
The  aggregation  of  these  plans  would  enable 
senior  management  to  determine  whether  the 
University  can  meet  overall  demands  for  staff.  In 
addition,  strategies  to  manage  and  eliminate  the 
gap  between  the  expected  demand  and  supply  of 
academic  staff  have  not  been  formulated.  Finally, 
we  did  not  see  any  documentation  that  explains 
the  University's  long-term  strategy  for  succession 
planning  to  maintain  its  academic  staff  capacity. 

To  finish  implementing  this  part  of  the 
recommendation,  the  University  needs  to  complete 
its  multi-year  Strategic  Workforce  Plan,  including 
succession  planning  strategies,  and  integrate 
the  workforce  plan  with  the  faculty  and  University 
business  plans. 

Space  capacity — This  criterion  was  met.  Our 
previous  audit  found  that  the  Campus  Community 
Plan  did  not  identify  faculty  requirements  for 
research  and  faculties  did  not  analyze  their  space 
requirements  in  conjunction  with  their  plans  to 
expand  research. 

All  five  of  the  faculty  plans  reviewed  contained  an 
analysis  and  projection  of  space  capacity  planning 


as  part  of  their  business  plans.  The  University 
Business  Plan  also  had  an  overall  University 
Capital  Plan,  which  is  an  aggregation  of  the  various 
approved  faculties'  space  plans. 

Management  states  that  Campus  Planning  is 
currently  working  on  processes,  reviews  and 
audits  to  ensure  spatial  data  are  accurate  and 
are  available  for  reporting  to  internal  and  external 
stakeholders.  Also,  decision  makers  can  use  this 
data  to  manage  current  assets  and  plan  future 
requirements.  Campus  Planning  has  established 
processes  for  all  departments  and  faculties  to 
submit  their  space  plans  for  review  and  approval. 
An  Infrastructure  Project  Approval  Process  has 
been  established  by  the  Office  of  the  Provost 
and  Campus  Planning.  Only  approved  faculty 
space  plans  are  aggregated  to  become  part  of  the 
University  Capital  Plan.  Institutional  commitment  is 
required  for  all  approved  plans. 

Furthermore,  the  University  sets  the  strategic 
direction  for  capacity  planning,  which  provides  a 
framework  for  assessing  space  capacity  for  all  the 
departments  and  faculties.  Currently  there  are  two 
standard  processes  for  planning  of  research  space 
requirements.  The  first  is  through  the  offices  of 
Research  Services,  specifically  the  Partnerships 
Program  Office,  and  the  second  by  use  of  the 
annual  business  planning  process  in  which  all 
academic  units  are  required  to  participate. 

Indirect  costs — This  criterion  was  not  met.  Our 
2004  audit  found  that  the  University  did  not  know 
the  indirect  costs  associated  with  conducting 
research,  whether  at  the  University  level,  the 
faculty  level  or  the  project  level.  We  concluded 
in  2004  that  the  University  could  not  budget  for 
indirect  costs  and  ensure  it  had  sufficient  funding  to 
cover  them. 

During  our  2010  follow-up,  we  reviewed  the 
2009-2013  Business  Plan,  which  stated  that  the 
funding  of  indirect  costs  of  research  support  from 
the  federal  government  remains  at  $12  million  per 
year.  The  University  assumes  these  funds  will  be 
ongoing.  The  University  relies  on  additional  support 
from  provincial  and  federal  government  sources 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


University  of  Calgary — Research  Management — Follow-up 


to  achieve  its  objective  of  growing  research 
revenues.  An  outdated  University  study  showed 
indirect  costs  of  research  totalled  $39  million  for 
the  fiscal  year  ended  March  31 ,  2000.  Currently, 
the  University  uses  information  provided  by  the 
Canadian  Association  of  University  Business 
Officers  and  studies  from  other  sources  such  as  the 
Council  of  Ontario  Universities  to  make  its  indirect 
costs  estimations.  However,  the  University  does 
not  have  a  way  to  accurately  assess  the  impact  of 
current  indirect  costs  of  research  relative  to  its  own 
operations.  The  third-party  information  it  uses  to 
make  indirect  cost  estimations  may  not  be  reflective 
of  true  indirect  research  costs  of  the  University. 
The  University  needs  to  periodically  evaluate  the 
appropriateness  and  validity  of  information  it  uses 
to  estimate  overhead  costs,  if  it  is  going  to  use  this 
information  to  estimate  its  indirect  costs. 

To  fully  implement  this  recommendation,  the 

University  must: 

integrate  the  faculty  research  workforce  plans 
with  a  broader  University  workforce  strategy 
implement  a  process  to  better  understand  its 
indirect  costs  of  research 


Implications  and  risks  if  recommendation 
not  implemented 

Without  a  long-term  human  resource  plan,  the 
University  risks  not  having  the  human  resources 
needed  to  accomplish  its  research  goals.  Without 
an  appropriate  system  for  determining  the  indirect 
costs  of  research,  the  University  cannot  reliably 
estimate  the  impact  of  indirect  costs  of  research. 
If  indirect  costs  are  not  appropriately  measured, 
the  University  may  have  insufficient  funds  to  cover 
these  costs  or  it  may  have  to  use  funds  intended 
for  other  purposes. 

Research  roles  and  responsibilities — 
recommendation  repeated 
Background 

We  first  made  this  numbered  recommendation  in 
our  October  2005  Report  (page  90).  We  repeat 
this  recommendation  because  the  University 


has  not  taken  sufficient  action  to  clarify  roles, 
responsibilities  and  accountabilities  of  the  various 
University  contributors  to  research  activities. 


Recommendation:  define  research 
management  roles  and  responsibilities 


RECOMMENDATION  NO.  5— REPEATED 


We  again  recommend  that  the  University  of 
Calgary  define  research  management  roles  and 
responsibilities. 


Criteria:  the  standards  for  our  audit 

The  University  and  faculties  should  have  clearly 
defined  roles,  responsibilities  and  accountabilities 
for: 

formulating  and  monitoring  compliance  with 
research  policy 

approving,  managing  and  monitoring  research 
programs 

providing  support  to  researchers 
administering  research  funds 


Our  audit  findings 


Key  Points 


•  Not  all  research  policies  define  who  is 
responsible  for  administering,  monitoring  and 
ensuring  compliance 

•  Accountabilities  are  not  well  documented 

•  Assistant  Dean  Research  profiles  and  Dean,  and 
principal  investigator  roles  not  defined 

•  Roles  of  groups  supporting  research  not  defined 
and  documented 

We  repeat  the  recommendation  because  the 
University's  progress  in  resolving  the  issues 
is  unsatisfactory.  The  University  is  currently 
implementing  the  Financial  Accountability  and 
Authority  Framework  as  part  of  a  business 
transformation  project  called  iS2.  This  framework's 
scope  is  to  clearly  define  accountabilities  and 
authorities  related  to  effective  management  of  the 
University's  financial  resources.  Another  aspect  of 
the  project  is  the  implementation  of  an  integrated 
services  delivery  model  for  support  services. 
The  business  transformation  project  will  help  the 
University  act  on  the  issues  highlighted  in  our  audit 
findings. 
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Formulating  and  monitoring  compliance  with 
research  policy — Our  2005  audit  found  that 
not  all  policies  identified  who  is  responsible  for 
administering,  monitoring  and  ensuring  compliance 
with  the  policies.  In  this  year's  follow-up  audit, 
we  reviewed  15  policies  to  determine  if  they 
adequately  defined  the  roles,  responsibilities  and 
accountabilities  for  formulating  and  monitoring 
compliance  with  research  policy.  Of  the  15  policies, 
six  did  not  define  roles  and  responsibilities. 

Currently,  management  in  two  areas,  the  Research 
Services  Office  and  Research  Accounting, 
monitor  compliance  with  the  policies  as  part  of 
their  responsibility  for  monitoring  projects  and 
their  respective  budgets.  In  addition,  even  though 
their  role  is  not  defined  in  the  policies,  faculties 
are  responsible  to  ensure  compliance  with  these 
policies. 

Based  on  interviews  with  research  management, 
we  heard  that  policy  compliance  checks  happen 
as  part  of  research  administration;  however,  in 
our  opinion  this  criterion  is  not  met.  It  is  difficult 
to  establish  accountability  for  a  policy  or  process 
in  the  absence  of  documented  accountabilities. 
For  example,  currently  the  Research  Services 
Office  ensures  compliance  with  the  University's 
intellectual  property  and  ethics  policy  for  each 
project;  however,  this  compliance  monitoring  is 
not  defined  and  documented.  The  University  and 
faculties  should  define,  through  policy,  the  roles, 
responsibilities  and  accountabilities  for  formulating, 
administering  and  monitoring  compliance  with  the 
policy.  The  IRISS  project  is  implementing  tools 
to  help  researchers  and  research  administrators 
monitor  compliance,  starting  with  research  policies 
related  to  the  certification  of  research  projects  using 
humans,  animals  and  biohazardous  materials. 

Approving,  managing  and  monitoring  research 
programs — Our  2005  audit  noted  that  the 
documentation  relating  to  principal  investigators' 
roles  and  responsibilities  varied  from  project 
to  project.  Sponsors  may  also  define  roles 
and  responsibilities  in  some  cases.  The  role  of 


Associate  Deans  Research  in  monitoring  research 
activities  varied  among  the  faculties;  one  faculty  did 
not  have  a  role  description  for  its  ADR. 

For  the  2010  audit,  we  saw  that  the  University 
had  not  finished  defining  and  documenting  the 
roles  of  the  principal  investigators.  The  ADRs 
exercise  oversight  over  the  activities  of  the  principal 
investigators.  We  reviewed  the  ADR  profile  defined 
by  the  University.  In  draft  form,  it  states:  "the 
Associate  Dean  (Research)  is  responsible  for 
research  strategic  planning  in  the  Faculty  and  for 
the  creation  and  refinement  of  targeted  research 
plans  for  alignment  with  other  University  initiatives. " 

In  addition,  from  our  interview  with  the  Senior 
Executive  Director  of  the  Research  Services  Office, 
we  understood  that: 

the  Associate  Deans  Research  Council  has 
reviewed  and  accepted  the  ADR  profile  as  a 
guideline  document 

the  content  of  the  document  is  appropriate  for 
all  faculties 

Faculties  are  expected  to  use  the  ADR  guideline  to 
prepare  faculty-specific  ADR  profiles.  At  the  time  of 
the  audit,  we  were  not  aware  of  an  implementation 
plan  for  the  ADR  role  at  the  faculty  level;  nor  was 
there  a  definition  of  roles  for  principal  investigators. 
Therefore,  we  repeat  this  recommendation  for 
clarity  of  roles,  responsibilities  and  accountabilities. 

Supporting  researchers — The  2005  audit 
recommended  that  the  University  define  roles  and 
responsibilities  of  groups  that  provide  ancillary 
support  to  researchers.  These  groups  include 
supply  chain  management,  human  resources, 
financial  and  legal  services,  facilities  management, 
information  technologies  (IT  support)  and  risk 
management,  safety  and  security.  During  our 
2010  follow-up  audit,  we  observed  that  the  daily 
and  operational  roles  of  some  of  these  groups 
are  noted  in  their  business  plans.  However,  their 
roles  in  supporting  research  are  not  defined  or 
documented.  For  example,  we  found  that  the 
Research  Accounting  and  Research  Services 
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Office  of  the  University  carried  out  financial  and 
legal  reviews  and  that  facilities  management 
played  a  role  in  space  planning  for  research. 
We  concluded  that  the  criterion  was  not  met 
because  support  units  had  not  clearly  defined 
and  documented  their  roles,  responsibilities  and 
accountabilities  for  research. 

Administering  research  funds — The  2005 
audit  reported  that  the  University  had  not  defined 
the  management  oversight  responsibilities  of 
department  heads,  ADRs  and  Deans  with  respect 
to  the  administration  of  research  funds. 

In  our  follow-up  audit,  we  reviewed  the  generic 
ADR  profile  and  noted  that  the  University  had 
defined  specific  responsibility  to  ADRs  for 
administration  of  research  funds.  The  profile  states 
that  an  ADR  is  "responsible  for  relationships  with 
chairs/deans  on  research  issues  such  as  space, 
start-up  funding,  infrastructure  grants  and  general 
research  planning."  It  also  specifies  that  the 
ADR  oversees  review  of  all  research  grants  and 
contract  applications  for  eligibility  requirements, 
administration  of  funds,  space  and  other  resource 
availability,  adherence  to  all  University  policies, 
such  as  Patent  Policy,  Conflict  of  Interest,  Ethics, 
and  Indirect  Costs,  and  overall  budget.  The 
University  expects  faculties  to  use  the  ADR  profile 
and  develop  faculty-specific  ADR  profiles.  However, 
we  consider  this  criterion  as  not  met  because  the 
ADRs'  and  deans'  roles  are  not  defined  at  the 
faculty  level. 

To  fully  implement  this  recommendation,  the 
University  must  define  and  document  roles 
and  responsibilities  for  ADRs,  deans,  principal 
investigators  and  groups  supporting  research,  at 
the  faculty  and  University  level. 


Implications  and  risks  if  recommendation 
not  implemented 

In  the  absence  of  defined  and  well-documented 
roles  and  responsibilities,  project  goals  may  not 
be  achieved  if  the  various  contributors  to  research 
activities  are  not  held  accountable  and  do  not  fully 
understand  their  roles  and  responsibilities. 


Research  policies — recommendation 

repeated 

Background 

We  first  made  this  recommendation  in  our  October 
2005  Report  (page  91 ).  That  recommendation 
contained  two  parts.  This  year,  we  have  repeated 
that  part  of  the  recommendation  where  the  criteria 
are  not  met. 


Recommendation:  maintain  current  and 
comprehensive  research  policies 


RECOMMENDATION  NO.  6— REPEATED 


We  again  recommend  that  the  University  of 
Calgary  ensure  all  research  policies  are  current 
and  comprehensive.  Specifically,  the  policies 
should  identify  who  is  responsible  for  monitoring 
compliance. 


Criteria:  the  standards  for  our  audit 

The  University  should: 

ensure  research  policies  are  current,  clear  and 
comprehensive 

prescribe  signing  authorities  for  research 
funding 

monitor,  assess  and  enforce  policy  compliance 


Our  audit  findings 


Key  Points 


•  Policy  review  process  is  deficient  and  some 
policy  revisions  date  back  to  1976 

•  Work  remains  to  standardize  compliance 
procedures 

We  repeat  this  recommendation  because  the 
University  does  not  have  a  defined  process  in  place 
to  ensure  that  its  research  policies  are  current, 
appropriate  and  monitored  to  ensure  compliance. 

Mechanisms  to  ensure  research  policies  are 
current  and  appropriate — We  concluded  that 
the  criterion  remains  unmet.  The  2005  audit  found 
that  some  policies  were  not  current  and  that  the 
University  did  not  review  all  policies  regularly.  Our 
follow-up  audit  found  that  policy  revision  dates 
ranged  from  1976  to  2008.  However,  we  found 
no  information  on  the  University's  policy  review 
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process,  timelines  for  the  review  of  policies  and  the 
nature  of  revisions  that  occur.  We  also  had  difficulty 
establishing  when  the  last  review  of  policies 
occurred.  Good  practice  is  for  the  University  to 
define  and  follow  timelines  for  policy  reviews  and 
revisions.  Also,  the  policy  document  should  specify 
the  date  of  last  review  and  revision. 

Our  previous  audit  also  found  that  there  was 
no  policy  to  define  when  agreements  among 
institutions  (inter-institutional  agreements)  are 
required.  During  the  current  audit,  we  reviewed 
a  draft  of  Research  Grants  or  Awards  Requiring 
Agreements  Guidelines  for  Research  Services  & 
Research  Accounting.  This  policy  document  stated: 
"if  the  funding  is  provided  in  support  of  project 
with  multiple  participants,  an  agreement  may 
be  necessary."  However,  this  statement  may  be 
interpreted  widely  and  does  not  represent  a  clear 
policy  of  the  University  stating  when  agreements 
among  institutions  are  mandated. 

Signing  authorities — This  criterion  was  met.  We 
reviewed  the  University's  draft  Signing  Authority 
and  the  Financial  Authority  Policy.  We  observed 
that  the  Research  Services  Office  website  includes 
guidance  for  researchers  in  the  form  of  Frequently 
Asked  Questions  about  the  contracts,  agreements, 
legal  support  and  signing  authorities.  We  also  saw 
RSO  forms  designed  to  obtain  funding  application 
approvals  and  the  vice  president  research's 
signature  for  funding  projects.  RSO  confirmed 
that  all  research  agreements  are  to  be  processed 
by  its  Legal  and  Intellectual  Property  unit  and 
that  it  is  their  responsibility  to  ensure  agreements 
are  signed  by  the  appropriate  authorized  signing 
officers. 

Policy  compliance — In  our  opinion,  the  University 
partially  met  this  criterion,  since  the  University  is 
still  in  the  process  of  standardizing  its  compliance 
procedures.  Our  previous  audit  found  mechanisms 
to  monitor  the  implementation  of  some,  but  not  all, 
policies.  At  the  time  of  the  original  audit,  there  was 
no  mechanism  to  ensure  compliance  with  ethics 
certification  or  ethics  and  intellectual  property 


policies.  In  the  current  audit,  we  observed  that 
the  University  has  launched  the  IRISS  project. 
This  project  is  designed  to  identify  gaps  in 
processes,  streamline  processes  and  implement 
an  automated  system  for  processing  and  tracking 
all  institutional  human  ethics,  animal  care  and 
bio-safety  requirements.  The  University  expects 
that  completion  of  the  IRISS  project  will  harmonize 
compliance  processes  and  make  them  more 
efficient. 

Legal  counsel  reviews  are  an  integral  part  of 
the  Research  Services  Office's  activities.  The 
Legal  and  Intellectual  Property  unit  is  responsible 
for  reviewing  and  assessing  all  new  research 
agreements.  Additionally,  the  unit  collaborates 
with  departments  and  faculties  and  obtains 
input  for  departmental  and  partnership  research 
agreements. 

In  situations  where  researchers  disclose 
inventions  to  the  University's  intellectual  property 
management  company,  University  Technologies 
International  (UTI),  to  commercialize  their  research, 
the  RSO  collaborates  with  UTI  to  conduct  due 
diligence.  Through  this  process,  UTI  ensures  that 
the  researcher  understands  the  commercialization 
rights. 

Furthermore,  UTI  reminds  researchers  of  their 
responsibility  to  make  disclosures  relating  to 
intellectual  property  or  commercialization  of  the 
research.  This  is  reinforced  in  presentations 
to  researchers  done  by  UTI  and  the  Legal  and 
Intellectual  Property  unit.  We  reviewed  the 
Intellectual  Property  Guide,  which  provides 
an  overview  of  the  University's  Intellectual 
Property  Policy  and  expert  resources  available 
for  the  benefit  of  researchers.  Furthermore,  the 
University's  IP  Policy  requires  researchers  to 
disclose  the  commercialization  of  their  inventions. 

To  fully  implement  this  recommendation,  the 
University  must  define  and  implement  a  process 
to  ensure  that  research  policies  are  current, 
appropriate  and  monitored  to  ensure  compliance. 
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Implications  and  risks  if  recommendation 
not  implemented 

Unless  policies  are  current  and  comprehensive, 
and  roles  and  responsibilities  for  monitoring  policy 
compliance  are  properly  defined,  project  goals  may 
not  be  achieved. 

Project  management — 
recommendation  repeated 
Background 

We  first  made  this  recommendation  in 
our  October  2005  Report  (page  93).  The 
recommendation  contained  two  parts:  ensure 
researchers  comply  with  sponsors'  terms  and 
conditions,  and  use  project  management  tools 
for  large,  complex  projects  to  ensure  research 
is  cost  effective.  Common  project  management 
tools  include  project  charters,  work  plans,  projects 
status  reports,  risk  reports  and  issues  escalation 
management  reports. 

The  recommendation  stemmed  from  the  following 
weaknesses: 

There  was  non-compliance  with  sponsor  terms 

and  University  policy. 

None  of  the  principal  investigators  interviewed 
during  the  audit  had  developed  more  detailed 
plans. 

Except  for  financial  reporting  tools,  the  principal 
investigators  did  not  use  project  management 
tools  to  monitor  and  control  the  progress  of 
their  larger  projects. 

Over-expenditures  were  not  tracked  in  some  of 
the  projects  reviewed. 
The  University  had  not  defined  its  own 
reporting  requirements. 

We  repeat  the  second  part  of  the 
recommendation  because  insufficient  steps 
were  taken  to  resolve  the  weaknesses. 

During  our  2010  follow-up,  we  tested  project 
documentation  from  five  faculties  (Medicine, 
Science,  Education,  Veterinary  Medicine  and 
Engineering)  covering  projects  that  were  externally 
and  internally  funded,  inter-institutional,  and 
billable. 


Recommendation:  use  project 
management  tools  for  large,  complex 
projects 


RECOMMENDATION— REPEATED 


We  again  recommend  that  the  University 
of  Calgary  and  its  faculties  use  project 
management  tools  for  large,  complex  projects  to 
ensure  research  is  cost  effective. 


Criteria:  the  standards  for  our  audit 

Researchers  and  research  teams  should: 
comply  with  sponsor  terms  and  University 
policies 

prepare  detailed  project  plans  for  complex 
projects 

use  processes  to  manage  research  projects 
cost  effectively 

control  project  expenditures  against  budgets 
and  incur  expenditures  only  for  the  purpose 
intended 

ensure  project  results  are  adequately  reviewed 


Our  audit  findings 


Key  Points 


•  Project  files  had  checklists  to  show  compliance 
with  terms  in  sponsor  agreements 

•  Sampled  files  had  project  plans 

•  Tools  for  principal  investigators  to  manage 
projects  were  not  fully  developed 

•  University  should  assess  the  need  for  a  central 
repository  to  maintain  complete  project 
information 

•  Controls  for  ensuring  grant  funds  were  used  in 
accordance  with  agencies'  requirements  needs 
improvement 

We  repeat  this  recommendation  because  the 
University  has  not  finished  developing  project 
management  tools  for  researchers.  Also,  the 
University  has  not  established  a  process  for 
monitoring  the  status  of  all  projects.  Currently, 
only  those  that  have  reporting  requirements  tied  to 
sponsor  funding  requests  have  robust  monitoring 
processes.  In  addition,  in  recent  years,  federal 
agencies  had  reviewed  the  University's  systems 
to  administer  grants  funds  in  accordance  with 
the  agencies'  requirements  and  found  them  to  be 
deficient. 
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Compliance  with  sponsor  terms  and  University 
policy — This  criterion  was  met.  The  scope  on 
reviewing  this  criterion  is  the  compliance  with  terms 
defined  in  the  agreements  between  sponsors  and 
the  University  as  well  as  the  policies  applicable  to 
each  project.  We  tested  projects  and  saw  evidence 
of  compliance.  We  found  that  each  project  file 
had  a  checklist  that  tracked  the  required  project 
documentation,  compliance  requirements  and 
project  approvals. 

Project  planning  tools — The  2005  audit  found 
that  detail  project  plans  were  not  developed  during 
the  planning  of  projects.  For  our  follow-up,  we 
obtained  three  project  charters  for  complex  projects 
and  saw  the  following  elements  described  in  detail: 

scope 

approach 

key  activities  and  milestones  for  each  phase 
assumptions 

roles  and  responsibilities  for  the  team  members 

Therefore,  this  criterion  has  been  met. 

Project  management  tools — The  criterion  has  not 
been  met.  The  University  has  still  not  developed 
project  management  tools  for  principal  investigators 
to  monitor  and  control  progress  of  their  projects. 
The  projects  we  tested  showed  evidence  only  of 
budget  monitoring.  Also,  we  noted  that  E-PROJ 
and  E-Fin  systems  were  used  to  track  the  status  of 
financial  reporting  for  the  project.  The  level  of  detail 
for  financial  reporting  varied  based  on  whether  the 
reporting  was  required  by  the  sponsor  or  done  for 
internal  purposes. 

In  cases  of  non-financial  reporting,  no  information 
was  available  in  the  files  maintained  in  the 
Research  Services  Office  unless  the  reporting  was 
tied  to  sponsor  funding  requests.  In  addition,  we 
found  no  evidence  on  the  specific  timelines  and 
tracking  of  deliverables  to  submit  to  the  sponsor. 
Principal  investigators,  researchers  and  research 
administrators  access  a  patchwork  of  systems  and 
spreadsheets  to  obtain  a  complete  understanding 
of  the  financial  and  non-financial  aspects  of  the 
projects. 


To  further  improve  efficiencies  in  project 
management,  the  University  should  evaluate  the 
merits  of  maintaining  all  financial,  non-financial, 
pre-  and  post-award  project  information  in 
a  centralised  repository,  develop  roles  and 
responsibilities  for  monitoring  project  performance, 
and  maintain  evidence  of  such  monitoring. 

Controlling  expenditures — The  scope  of  our 
review  did  not  include  transactional  work;  for 
example,  approval  and  allocation  of  expenditures 
to  meet  grant  agency  or  internal  requirements. 
However,  the  Natural  Sciences  and  Engineering 
Research  Council  of  Canada  and  the  Social 
Sciences  and  Humanities  Research  Council 
of  Canada  performed  a  cyclical  joint  financial 
monitoring  review  at  the  University.  They  concluded 
in  a  February  2010  report  that  the  management 
control  framework  for  ensuring  grant  funds  used 
in  accordance  with  the  agencies'  requirements 
continues  to  be  unsatisfactory.  Based  on  this 
finding,  we  concluded  that  the  criterion  was  not 
met. 

Reviewing  project  results — Our  previous  audit 
found  that  sponsors  specified  the  reporting 
requirements.  However,  the  University  had  not 
defined  its  own  reporting  requirements,  such  as 
peer  review  of  research  reports.  In  our  follow-up 
audit,  we  did  not  see  any  evidence  of  reporting  and 
requirements  for  reporting  on  internal  projects. 

We  understand  that  peer  review/quality  assurance 
of  projects  is  determined  by  the  nature  of  the 
project  or  by  the  faculty,  and  that  researchers  are 
responsible  for  quality  assurance  of  their  projects. 
For  all  the  projects  we  tested,  we  did  not  find 
any  information  related  to  quality  assurance  in 
the  project  files.  Quality  assurance  procedures 
include  independent  and  peer  reviews.  Due  to 
the  confidentiality  and  the  specialization  of  the 
research  area,  peer  reviews  may  not  always  be 
possible  or  practical.  The  faculty  should  define 
and  document,  before  the  research  project  begins, 
its  quality  assurance  requirements,  including  the 
scope  of  and  necessity  for  peer  reviews. 
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To  fully  implement  this  recommendation,  the 

University  must: 

assess  the  need  for  a  central  repository  for 
maintaining  all  financial  and  non-financial 
project-related  information  to  provide  principal 
investigators,  researchers  and  administrators 
a  single  source  for  obtaining  key  information  to 
manage  projects 

develop  roles  and  responsibilities  for 
monitoring  project  performance,  and  maintain 
evidence  of  such  monitoring 
develop  tools,  such  as  project  status  reports,  to 
help  principal  investigators  and  researchers  to 
manage  large,  complex  projects 
improve  the  process  to  control  project 
expenditures,  including  designing  and 
operating  effective  systems  to  comply  with 
requirements  set  by  project  funders 
implement  a  consistent  process  for  reporting  on 
all  research  projects 


Implications  and  risks  if  recommendation 
not  implemented 

In  the  absence  of  strong  and  clearly  defined 
project  management  practices,  projects  may  not  be 
cost-effective.  Without  an  effective  control  system 
for  ensuring  research  expenditures  comply  with 
research  sponsors'  requirements,  the  University 
may  lose  research  funding. 

Business  case  for  research  project 
proposals — implemented 
Background 

In  our  October  2005  Report  (page  92),  we 
recommended  that  the  University  and  its  faculties 
complete  a  business  case  for  all  large,  complex 
research  proposals.  Our  original  audit  found  that 
research  proposals  included  some  elements  of 
a  business  case;  however,  key  items  were  often 
missing. 


Criteria:  the  standards  for  our  audit  

Faculties  should  establish  clear  processes 
for  reviewing  proposals  and  should  submit  all 


applications,  proposals  and  contracts  through 

Research  Services  Office,  which  obtains  all 

other  appropriate  reviews. 

Funding  sought  should  be  appropriate  and 

sufficient. 


Our  audit  findings 


Key  Points 


•  Project  proposals  contain  key  elements  of 
business  case 

•  Sampled  projects  had  detailed  budgets 

The  University  fully  met  these  criteria.  We  saw 
evidence  of  proposal  reviews,  improvements  in  the 
content  of  proposals,  confirmation  of  funding 
requirements  and  an  established  process  to 
evaluate  proposals. 

Clear  process  for  preparing  and  reviewing 
proposals — In  our  2005  audit,  we  found  that 
research  proposals  lacked  certain  key  elements 
found  in  business  cases,  such  as  how  the  project 
aligns  with  the  faculty  research  plan  and  the 
University  Academic  Plan,  a  cost/benefit  analysis, 
challenges  and  risks,  facilities  and  equipment 
required,  and  how  project  progress  will  be 
monitored. 

During  2010,  we  reviewed  a  sample  of  five 
proposals.  We  saw  that  three  in  the  sample  did  not 
explain  challenges  and  risks;  one  of  the  proposals 
did  not  consider  the  use  of  facilities  and  another 
did  not  identify  how  the  proposal  would  be  peer 
reviewed.  We  corroborated  our  findings  with  the 
RSO  and  obtained  an  explanation  that  not  all  of 
the  elements  of  a  business  case  are  required 
to  be  documented  for  all  project  proposals.  We 
evaluated  the  missing  elements  and  concluded 
that  they  were  not  significant  and  valid  business 
reasons  supported  their  exclusion.  In  some 
instances,  specific  elements  may  be  excluded  if 
they  are  not  needed  to  make  the  business  case. 
RSO  confirms  this  when  reviewing  proposals. 
Based  on  this  confirmation,  we  concur  that  the 
current  documentation  on  proposals  requirements 
is  appropriate. 
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Sufficiency  of  funding — All  five  project  proposals 
we  tested  showed  evidence  of  detailed  budgets 
and  sufficient  funding. 

Improve  financial  controls  on  research 
accounts — implemented 
Background 

In  our  October  2005  Report  (page  94),  we 
recommended  that  the  University  improve 
financial  controls  on  research  accounts.  Our 
2004  financial  statement  audit  produced  a  similar 
recommendation,  which  broadly  focused  on 
improved  controls  needed  for  over-expended 
research  accounts,  reporting  to  research  sponsors, 
monitoring  research  and  trust  aged-receivables, 
and  updating  the  University's  signing  authority 
policy.  Our  2005  research  management  audit 
identified  weaknesses  in  the  maintenance  of 
research  accounts  and  prompt  billing  of  contract 
revenue. 

The  Research  and  Trust  Accounting  unit  is 
responsible  for  administering  the  research 
accounts  after  the  research  sponsor  awards  funds. 


Setting  up  and  maintaining  accounts— 

In  our  2010  follow-up  audit,  we  tested  five 
inter-institutional  projects  and  found  that  sponsor 
agreements  and  certifications  were  in  place  before 
the  University  issued  any  advances.  Financial 
reporting  is  performed  only  when  required  by  the 
sponsor  or  when  the  funding  is  dependent  on 
reporting.  We  saw  evidence  of  financial  reporting  in 
the  sampled  files  that  required  sponsor  reporting. 
There  were  no  exceptions  noted  in  our  sample  for 
the  timeliness  of  external  reporting.  In  all  cases, 
we  noted  evidence  of  team  member  authorization 
forms  for  new  project  members  and  removal  of 
authority  for  those  who  were  no  longer  members  of 
the  project  team. 

Billing  promptly — In  our  follow-up  audit  in  2010, 
we  tested  a  sample  of  five  billable  projects  for 
timeliness  of  billing  by  checking  billing  dates 
against  agreement.  We  found  no  exceptions 
relating  to  the  timeliness  of  billing. 


Criteria:  the  standards  for  our  audit 

Research  and  Trust  Accounting  should  maintain 
accounts  and  promptly  bill  contract  revenue. 


Our  audit  findings 


Key  Points 


•  Sound  financial  reporting  to  sponsors  and  good 
processes  for  maintenance  of  research  accounts 

•  Sampled  billable  projects  had  timely  billings 


The  University  finished  implementing  the 
recommendation  by  improving  its  maintenance  of 
research  accounts  and  promptly  billing  contract 
revenue.  In  addition,  we  followed  up  controls 
deficiencies  identified  in  our  financial  statement 
audits;  in  2010,  we  concluded  the  University  has 
eliminated  these  control  deficiencies.  See 
page  117. 
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Summary 


Sustainable  Resource  Environmental 
Management — changed  circumstances 
Chronology  of  sustainable  development 
audit  activity 

Sustainable  resource  and  environmental 
management  (SREM)  involves  managing 
resources  in  an  environmentally  sustainable 
fashion.  This  means  considering  environmental, 
economic,  and  social  objectives  when  developing 
and  implementing  public  policies  and  programs, 
and  considering  the  needs  of  the  present  as  well 
as  future  generations.  Sustainable  development 
leads  to  a  healthy  economy  and  environment,  and 
a  better  quality  of  life. 

In  1999,  the  Government  of  Alberta  released 
Alberta's  Commitment  to  Sustainable  Resource 
Development.  The  Commitment  outlined  the 
government's  goal  of  attaining  sustainable 
development  in  Alberta  through  clear  government 
direction,  integrated  decision  making  and  an 
up-to-date  regulatory  regime. 

In  our  October  2003  Report  (no.  13— page  105), 
we  recommended  that  the  Deputy  Minister 
of  Environment  complete  the  legislative  and 
regulatory  review  required  by  the  Commitment  and 
annually  report  the  progress  on  the  Commitment. 
We  took  the  view  that  a  logical  way  to  test  progress 
was  to  use  the  elements  of  an  accountability 
model: 

Those  who  use  public  resources  should: 

1.  set  measurable  goals 

2.  plan  what  needs  to  be  done  to  achieve  the 
goals,  and  indicate  responsibilities 

3.  do  the  work  and  monitor  progress 

4.  report  on  results 

5.  evaluate  results  and  provide  feedback 

In  effect,  we  saw  the  SREM  concept  as  one 
measurable  initiative. 


In  2005,  the  Commitment's  strategies  were 
turned  into  a  medium-term  strategy  in  the 
province's  20-year  strategic  business  plan  "to 
achieve  outcome-based  management  systems, 
integrated  policies,  and  streamlined  regulatory 
processes".  The  responsibility  for  implementing 
the  Commitment's  strategies,  previously  assigned 
to  the  Ministry  of  Environment,  were  to  be  shared 
by  the  ministries  of  Environment,  Energy,  and 
Sustainable  Resource  Development.  The  three 
ministries  established  a  SREM  office  with  an  initial 
two-year  mandate  to  support  and  coordinate  the 
implementation  of  the  SREM  strategies. 

In  our  October  2005  Report,  we  reported  that  the 
ministries  had  goals  but  had  not  yet  developed 
a  mechanism  for  reporting  results.  We  further 
recommended  (no.  14 — page  72)  that  the  Deputy 
Ministers  of  Environment,  Energy,  and  Sustainable 
Resource  Development  publish  a  SREM 
implementation  plan. 

In  our  October  2006  Report  (page  195)  we  reported 
that  the  three  ministries  had  made  progress,  but 
still  had  not  fully  implemented  our  recommendation. 
The  following  matters  remained: 

1 .  establish  how  cross-ministry  projects  will  be 
planned  for  and  coordinated  once  the  SREM 
office  no  longer  exists 

2.  develop  a  mechanism  for  tracking 
cross-ministry  projects 

3.  have  a  mechanism  to  evaluate  the  overall 
progress  of  implementing  the  SREM  strategies 

By  2007,  the  SREM  office  designed  a  conceptual 
framework  for  implementing  SREM  strategies. 
It  began  to  implement  the  strategies  through 
a  number  of  cross-ministry  initiatives  such  as 
cumulative  effects  management. 

In  2008,  the  SREM  office  transitioned  its 
responsibilities  to  the  three  ministries  and  ceased 
to  exist.  Since  then,  the  three  deputy  ministers 
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assumed  responsibility  for  continued  advancement 
of  the  SREM  strategies  within  government. 

A  number  of  significant  changes  have  occurred 
since  our  2004-2005  audit  making  our  outstanding 
recommendation  is  no  longer  valid. 

There  is  not  one  overall  plan  nor  one  overall 
reporting  mechanism  on  the  progress  of 
implementing  SREM.  Rather,  the  way  in  which 
the  government  has  operationalized  SREM,  to 
pursue  the  concepts  of  the  Commitment,  is  evident 
in  specific  strategies  such  as  development  of  the 
Land-use  Framework  and  supporting  Secretariat, 
the  Regulatory  Enhancement  Project,  and  the 
Regulatory  Alignment  Project,  all  in  which  SREM 
concepts  are  embedded. 

The  three  Deputy  Ministers  meet  regularly 
to  ensure  that  cross-ministry  projects  with 
significant  environmental  effects  are  approached 
in  a  collaborative  fashion.  Collaboration  has  now 
become  the  way  of  doing  business.  Instead  of 
overall  planning  and  reporting  on  SREM,  the 
ministries  use  the  existing  business  planning 
and  annual  reporting  processes  to  demonstrate 
accountability  for  individual  projects. 


Conclusion 


In  the  absence  of  the  government  measuring 
and  reporting  on  the  overall  success  of  SREM 
strategies,  which  we  had  originally  thought  was 
intended,  we  cannot  assess  whether  the  strategies 
have  been  successfully  implemented. 

In  the  future,  we  plan  to  audit  some  key  projects 
with  significant  environmental  effects  to  assess 
whether  they  are  managed  with  due  regard  for 
economy,  efficiency  and  environmental  effects,  and 
whether  there  are  measures  in  place  to  determine 
their  effectiveness  in  relation  to  the  original  SREM 
goals. 
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Conduct  risk  assessment  of  contracts — 

implemented 

Background 

In  our  October  2009  Report  (page  53),  we 
recommended  that  the  Public  Affairs  Bureau 
conduct  a  risk  assessment  of  its  Agency  of  Record 
contracts  and  develop  a  plan  to  manage  the  risks  it 
identifies. 


Our  audit  findings 

We  examined  PAB's  risk  assessment  on  their 
Agency  of  Record  contracts. 

A  risk  assessment  was  conducted  by  PAB  on  the 
following  four  contracts: 

Agency  of  Record  for  Media  Buying 

Legal  and  Tender  Advertising 

Informational  Advertising  Agency  of  Record 

Recruitment  Agency  of  Record 

The  risk  assessment  template  included  five 
components: 

risk  identification 

risk  background 

risk  evaluation 

risk  management,  and 

the  position  responsible  for  dealing  with  the  risk 

This  risk  assessment  template  was  approved  by 
senior  management. 

For  the  four  contracts,  the  risk  assessment 
identified  the  risk,  provided  background  on  the  risk, 
evaluated  the  risk  level,  detailed  management's 
response  to  the  risk  and  identified  the  person(s) 
responsible  for  managing  the  risk.  PAB  performed 
proper  risk  assessments  of  the  four  contracts  and 
developed  a  plan  to  deal  with  the  identified  risks. 
We  therefore  conclude  that  PAB  implemented  our 
recommendation. 
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Summary 


ATB  installed  its  current  banking  and  accounting 
systems  in  the  mid-1980s.  ATB  is  replacing  its 
current  systems  with  SAP1  banking  and  accounting 
systems.  The  project,  known  as  Core,  will  transform 
ATB's  banking  system,  financial  reporting  system, 
and  internet  and  telephone  banking  applications. 
ATB  is  also  re-engineering  the  majority  of  its 
business  processes  to  take  advantage  of  SAP's 
functionality. 

ATB  started  the  Core  project  because: 

ATB's  aging  technology  platforms,  complex 
computing  environments,  and  cumbersome 
processes  limit  its  ability  to  grow  and  continue 
providing  financial  services  to  Albertans. 
If  it  continued  to  operate  in  this  manner, 
ATB  faces  major  risk  of  frequent  and  extended 
service  disruption  and  being  unable  to  comply 
with  an  increasingly  rigorous  regulatory 
environment. 

ATB's  Core  project  is  a  significant  capital 
investment  by  ATB.  Originally  budgeted  at 
$160  million,  Core  is  now  expected  to  be 
completed  at  a  cost  of  approximately  $320  million 
and  to  go  live  in  April  201 1 ,  one  year  after  its 
original  planned  go  live  date  of  April  2010. 

What  we  examined 

In  our  April  2010  Report,  we  reported  on 
inadequate  project  governance2  and  management3 


SAP  is  a  company  that  provides  business  software 
products  and  services.  ATB  selected  SAP's  banking 
platform  and  SAP's  corporate  accounting  system  as  the 
information  technology  solution  for  ATB's  core  banking  and 
corporate  accounting  transformations. 
Governance  includes  the  processes  and  responsibilities  for 
ownership  and  oversight  of  the  project,  including  initiating 
it,  ensuring  it  meets  the  ongoing  needs  of  the  organization, 
accepting  its  results  and  ensuring  its  operational 
implementation  within  the  organization. 
Project  management  is  the  application  of  knowledge, 
skills  and  techniques  to  meet  a  project's  objective  and 
requirements.  It  includes  project  initiation,  planning, 
execution,  control  and  termination. 


within  ATB's  Core  project,  which  resulted  in 
delays  and  escalating  costs.  This  follow-up  audit 
assessed  ATB's  progress  in  implementing  the 
four  recommendations  from  our  April  2010  Report 
(beginning  on  page  81). 

When  we  initially  examined  ATB's  project 
governance  and  management  processes  for  its 
new  banking  system  implementation,  we  found 
that: 

the  Core  project  was  significantly  over  budget 
and  behind  schedule 
ATB's  project  governance  and  controls 
processes  were  inadequate;  management  did 
not  identify  or  resolve  the  issues  that  caused 
delays  and  cost  increases 

We  followed  up  our  four  recommendations  because 
ATB  informed  us  that  it  had  implemented  them.  The 
Core  project  is  still  ongoing  and  ATB  expects  the 
new  banking  system  to  go  live  in  April  2011. 

Why  it  is  important  to  Albertans 

Through  the  successful  implementation  of  this 

project,  ATB  expects  to: 

reduce  its  reputational  and  operational  risks  of 
frequent  and  extended  service  disruptions  to  its 
banking  systems 

provide  better,  more  efficient  and  effective 
services  and  products  to  customers 

It  is  also  important  that  the  new  banking  system 
have  well-designed  and  effective  internal  controls 
that  mitigate  significant  risks.  In  our  October  2009 
Report,  we  commented  on  the  project's 
consideration  of  internal  controls  during  the  design 
process.  We  have  completed  a  progress  report  on 
that  audit  in  the  Ministry  of  Finance  and  Enterprise 
chapter  of  this  report — see  page  152. 

What  we  found 

ATB  has  put  in  place  project  governance  and 
management  processes  that  resolve  the  issues 
we  identified  in  our  April  2010  Report.  These 
new  processes  reduce  the  risks  of  delayed 
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implementation  and  cost  overrun,  and  provide 
those  with  oversight  responsibility  with  better 
information  to  make  critical  decisions.  The  new 
project  governance  and  management  processes 
improve  ATB's  controls  over  the  project's  scope, 
time  and  cost.  However,  these  new  processes  are 
not  a  guarantee  the  Core  project  will  be  completed 
as  expected  and  deliver  all  of  the  originally 
anticipated  benefits. 


developing  a  new  project  plan  with  a 
realistic  schedule  and  budget  to  complete 
the  project 

2.   examine  its  project  management  controls 
and  clearly  identify,  and  put  in  place,  the  new 
controls  necessary  to  minimize  the  risk  that  the 
project  will  not  be  completed  within  the  revised 
timelines  and  budget  or  will  not  deliver  the 
expected  functionality 


Audit  objective  and  scope 


Our  objective  was  to  determine  if  ATB  has 
implemented  the  four  recommendations  in  our 
April  2010  Report  by: 

defining  and  finalizing  the  scope  of  its  Core 

banking  project 

creating  a  new  realistic  project  plan  with  new 
deadlines  and  budgets 

improving  its  governance  and  oversight  of  the 
project 

improving  the  quality  and  level  of  detail  of 
project  reporting 

In  performing  the  follow-up  audit,  we  reviewed 

ATB's  processes  to: 

resolve  business  decisions,  and  define  and 
finalize  the  scope  of  the  Core  banking  project 
create  a  new  project  plan,  schedule  and  budget 
to  go  live  in  April  2011 

assess  the  new  project  plan's  milestones  and 
the  criteria  ATB  used  to  declare  them  achieved 
report  on  the  project's  status  to  the  oversight 
groups 


Findings  and  recommendations 


Project  management — implemented 
Background 

In  our  April  2010  Report  (page  84),  we 
recommended  that  Alberta  Treasury  Branches: 
1 .    improve  the  management  of  its  Core  project  by: 
resolving  pending  business  decisions, 
dealing  with  remaining  change  requests, 
and  locking  down  the  project's  scope  so 
that  the  project's  design  phase  can  be 
completed 


Our  audit  findings 


Project  management 

ATB  improved  the  management  of  its  Core  project 

by: 

creating  an  Executive  Advisory  Council, 
comprised  of  three  senior  ATB  executives  who: 
reviewed  the  project  and  resolved  pending 
business  decisions  based  on  business 
processes  and  needs 
reviewed  all  outstanding  change  requests 
and  determined  which  ones  were 
necessary  to  provide  functionality  at  go  live 
having  the  project  team: 

implement  a  new  process  to  review  and 
approve  or  defer  change  requests  made 
as  a  result  of  new  information  or  needs, 
after  the  Council  finished  their  initial  scope 
definition 

"recalibrate"  the  Core  project  by 
reassessing  the  initial  Core  project  plan 
and  developing  a  new  project  plan  with 
new  milestones,  resource  needs,  budget 
and  go  live  date 

finalize  or  "freeze"  the  scope  of  the  project 
and  present  the  new  project  plan  and 
budget  to  ATB's  Audit  Committee  for 
approval 

Project  management  controls 

ATB  improved  its  project  management  controls  by: 
appointing  a  new  project  manager  with 
significant  experience  implementing  large 
and  complex  SAP  systems.  This  individual  is 
directly  accountable  to  the  Strategic  Steering 
Committee.4 


4     The  Strategic  Steering  Committee,  consisting  of  ATB  senior 
executives  and  chaired  by  ATB's  CEO,  was  established  to 
oversee  ATB  projects. 
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implementing  a  new  regular  reporting  process 
to  demonstrate  whether  the  project  is  on  time 
and  on  budget 

ensuring  that  the  Strategic  Steering  Committee, 
Audit  Committee,  and  the  newly  created 
Executive  Implementation  Team5  have  more 
oversight  of  and  more  accountability  for  the 
project 

New  project  management  and  reporting  controls 
were  implemented  to  increase  the  probability 
of  the  project  being  completed  on  time  and  on 
budget.  New  reporting  requirements  included 
daily  input  of  the  amount  of  work  completed  and 
the  resources  used,  and  the  amount  of  work  and 
resources  required  to  complete  that  piece  of  the 
project.  Additional  oversight  was  enabled  through 
the  project  manager  and  other  groups,  using 
the  information  from  the  new  reporting  controls. 
Although  additional  reporting  is  in  place  that 
focuses  on  time  and  costs,  this  does  not  guarantee 
that  the  project  will  be  able  to  be  completed  as 
expected. 

The  new  project  reporting  methodology: 

breaks  larger  project  tasks  into  smaller,  more 
manageable  pieces 

ensures  that  the  resources  and  time  used 
on  these  smaller  pieces  are  accurately  and 
regularly  updated 

Previously,  project  tasks  could  be  months  in 
length  and  could  be  considered  50%  complete 
after  nothing  other  than  an  initial  organizational 
meeting.  Because  the  project's  managers 
now  measure  work  in  steps  that  are  no  longer 
than  20  days,  there  is  more  accountability  for 
project  team  leads  to  have  work  done  on  time 
and  for  the  reporting  to  be  more  accurate. 

With  the  new  reporting  methodology,  pieces  of  work 
are  given  the  status  of: 
25%  when  started 

5     The  Executive  Implementation  Team  was  created  by  the 
Strategic  Steering  Committee  and  is  composed  of  ATB 
senior  management  The  Steering  Committee  expects  the 
Team  to  review  decisions  necessary  to  operationalize  the 
Core  program  and  assess  the  implications  to  ATB.  The 
Team  can  make  decisions  where  costs  are  below  specific 
dollar  thresholds  and  where  delivery  dates  of  the  program 
are  not  affected. 


50%  when  work  is  halfway  done 

75%  when  work  is  completed 

100%  when  the  work  is  confirmed  as 

completed  and  adequate  by  others  who  are 

relying  on  this  work 

The  work  is  divided  into  smaller  parts  and  there 
is  an  independent  review  of  the  work.  Therefore, 
there  is  less  chance  of  work  remaining  incomplete 
for  extended  periods  or  being  unacceptable  to 
those  who  rely  on  it.  This  methodology  helps 
increase  the  compliance  with  deadlines  and  the 
quality  of  the  work. 

We  assessed  ATB's  methodology  for  preparing 
earned  value  reports  to  oversight  committees, 
such  as  the  Audit  Committee  and  the  Strategic 
Steering  Committee.  The  main  deliverables  from 
these  reports  are  cost  and  schedule  performance 
indicators.  These  are  derived  from  the  daily 
entering  of  the  work  completed  and  resources 
used,  and  the  outstanding  work  and  the  anticipated 
resources  needed  to  finish  each  piece  by  the  team 
leaders.  ATB  uses  a  Microsoft  project  application  to 
store  and  process  this  information. 

We  confirmed  that  the  methodology  and 
procedures  used  to  calculate  the  cost  and  schedule 
performance  indicators  were  reasonable.  The 
project  management  team  uses  these  indicators  to 
forecast  the  project's  cost  and  date  of  completion. 
We  reviewed  a  sample  of  the  information  used  in 
the  calculations  and  confirmed  it  was  entered  on 
time  and  complete. 

The  Executive  Advisory  Council  reviewed  pending 
scope  and  change  requests  to  decide  what  was 
required.  This  helped  freeze  the  project  scope 
in  February  2010.  The  Council's  actions  were 
essential  to  meeting  the  project's  first  "gate"  or 
milestone  which  was  to  freeze  the  project's  scope. 

The  Core  project  team  continues  to  identify 
change  requests  despite  the  project  team's  work 
leading  up  to  the  Strategic  Steering  Committee's 
declaration  that  the  first  milestone  or  "gate" 
was  met.  To  deal  with  new  change  requests, 
ATB  implemented  a  process  to  review  and  approve 
only  the  changes  necessary  for  the  Core  project 
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to  go  live  in  April  2011 .  New  change  requests  are 
now  assessed  and  approved  by  the  project  team 
and  the  Executive  Implementation  Team,  and  then 
approved  by  the  Strategic  Steering  Committee. 
Changes  approved  are  assessed  for  their  impact 
on  the  scope,  budget  or  timelines  of  the  Core 
project.  The  project  plan,  budget  and  timelines 
are  then  updated  accordingly.  We  observed  the 
updated  project  timelines  and  budgets,  and  ATB 
told  us  that  recently  identified  change  requests  will 
not  affect  the  scheduled  April  2011  go  live  date. 


milestones  (scope,  process  design,  build  and  test) 
require  specific  criteria  that  must  be  met  in  order 
for  the  April  2011  go  live  date  to  be  achieved. 
Also  called  "gates,"  they  will  be  monitored  and 
agreed  to  by  the  project  manager,  the  Executive 
Implementation  Team  and  the  Strategic  Steering 
Committee.  This  approach,  with  defined 
checkpoints  throughout  the  project,  will  ensure 
that  the  project  remains  on  its  critical  path  and  that 
there  is  clear  agreement  that  the  project  should 
continue. 


We  reviewed  ATB's  new  project  management 
procedures  and  reporting  methodology.  We 
confirmed  that  they: 
are  in  place 

are  designed  to  minimize  the  risk  that  the 
project  will  not  be  completed  within  the  revised 
timelines  and  budget 
provide  more  detailed  and  more  frequent 
reporting  to  the  Audit  Committee  and  other 
oversight  committees 

ATB  has  also  entered  into  new  contracts  with 
its  key  vendors,  SAP  and  Accenture.6  The  new 
contracts  give  ATB  more  control  over  project 
change  requests  and  schedule  and  put  more 
accountability  on  SAP  and  Accenture  to  ensure  the 
project  is  completed  on  time  and  on  budget. 

Project  governance — implemented 
Background 

In  our  April  2010  Report  (no.  10 — page  84),  we 
recommended  that  Alberta  Treasury  Branches 
review  the  Core  project  at  clearly  identified 
checkpoints  within  the  revised  project  plan  to 
ensure  the  deliverables  are  accepted  by  the 
Strategic  Steering  Committee  and  there  is  clear 
agreement  for  the  project  to  continue. 

Our  audit  findings 

The  revised  project  plan  presented  to  the 
Audit  Committee  by  the  project  manager  in 
February  2010  identified  significant  milestones 
to  check  and  manage  project  progress.  Four 


6     Accenture  is  a  management  consulting,  technology  and 
outsourcing  company. 


ATB  identified  the  following  four  gates: 

Gate  1:  Scope 

Gate  2:  Process  design 
•     Gate  3:  Build 

Gate  4:  Test 

The  new  reporting  methodology  and  the  use  of 
the  gates  as  important  checkpoints  will  put  more 
emphasis  on  meeting  each  of  the  critical  steps  of 
the  project  instead  of  just  the  final  deliverable.  The 
new  processes  will  also: 

provide  advanced  notice  if  the  go  live  date  is  in 

danger  of  not  being  met 

allow  for  additional  and  timely  monitoring  and 

enforcing  accountability 

Gate  1 :  Scope 

The  Strategic  Steering  Committee  declared 
the  first  gate  met  based  on  a  presentation  from 
the  Executive  Advisory  Council  and  the  project 
manager  during  a  March  2010  meeting.  The 
information  presented  to  the  Steering  Committee 
concluded  that  all  pending  business  decisions  and 
change  requests  were  assessed  and  approved 
or  deferred  by  the  Council.  The  Council  and  the 
project  manager  also  declared  that  a  new  project 
scope  was  now  defined  and  the  scope  could  be 
frozen  for  an  April  2011  go  live  date. 

The  criteria  for  Gate  1  were  not  well  defined. 
However,  the  Steering  Committee  concluded  that 
sufficient  work  was  done  by  the  Council  and  project 
manager  to  declare  Gate  1  met  and  to  proceed  to 
Gate  2. 
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Gate  2:  Process  design 
This  gate  was  well  defined  and  documented. 
Process  design  was  targeted  for  completion  in 
April  2010.  The  project  team  declared  Gate  2 
completed  in  May  2010.  Process  design  was 
substantially  completed  on  this  date,  but  not  all 
of  the  defined  criteria  were  met.  To  complete  this 
gate,  ATB's  Strategic  Steering  Committee  declared 
the  missed  criteria  as  non-critical  exceptions  to  the 
overall  project.  ATB  considered  the  gate  met  and 
decided  the  project  could  concentrate  on  the  next 
gate — build. 


explanations  for  variances  between  actual 
results  and  the  revised  project  plan,  and  the 
actions  taken  to  deal  with  the  causes 


Our  audit  findings  

ATB  management  and  the  project  team  are 
providing  the  Audit  Committee  of  the  Board  of 
Directors  with  the  information  we  recommended  in 
our  April  2010  Report. 


Gate  3:  Build 

This  gate  was  well  defined  and  documented.  The 
project  team  clearly  identified  criteria  for  this  gate 
to  be  completed.  They  also  identified  criteria  that 
could  be  missed  without  affecting  the  overall  project 
and  how  to  document  and  resolve  those  missing 
items.  This  gate  was  not  due  for  completion  until 
July  2010,  after  our  audit  work  was  completed. 
Therefore,  we  cannot  comment  on  ATB's  success 
in  meeting  the  criteria  and  deadline  for  Gate  3. 

Overall  conclusion  on  gates:  For  the  three 
gates  we  examined,  ATB's  process  for  defining 
the  three  gates,  developing  the  criteria  to  be 
met,  and  then  making  a  declaration  to  close  a 
gate  and  move  on  were  adequate.  However,  the 
Strategic  Steering  Committee  and  Audit  Committee 
should  closely  monitor  any  missed  criteria  from 
all  gates  and  ensure  they  are  eventually  met.  The 
project  manager  should  also  regularly  report  to  all 
committees  on  missed  criteria  and  the  progress 
made  to  ensure  they  are  completed. 

Performance  reporting — implemented 
Background 

In  our  April  2010  Report  (no.  11 — page  85),  we 
recommended  that  ATB's  management  provide  its 
Board  of  Directors  with  more  information  on  the 
Core  project's: 

performance  in  relation  to  the  revised  schedule 

and  budget 

stage  of  completion  of  significant  project 
deliverables  (percent  complete  and  percent  of 
budget  consumed) 
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Investigative  role  policy — implemented 
Background 

In  our  October  2008  Report  (page  317),  we 
recommended  that  the  Health  Quality  Council 
of  Alberta  improve  its  Investigative  Role 
Policy  by  defining  or  providing  guidance  on 
methodologies  for  different  circumstances  and  on 
medical  standards  for  planning  and  conducting 
investigations. 


Our  audit  findings 

HQCA  has  developed  a  new  policy  titled  Review 
Role  of  the  Health  Quality  Council  of  Alberta 
Respecting  Patient  Safety  and  Health  Service 
Quality.  This  policy  now  includes: 

a  statement  on  the  use  of  appropriate  review 

methodologies 

a  list  of  investigative  procedures  with 
descriptions  of  their  application  in  various 
aspects  of  reviews 

a  statement  on  the  need  to  assess  and  utilize 
relevant  standards  and  guidelines  to  assess 
current  practices  and  make  recommendations 
for  best  practices 

a  list  of  standards  that  may  be  useful  in  reviews 

Guidance  on  using  legal  assistance — 

implemented 

Background 

In  our  October  2008  Report  (page  31 9),  we 
recommended  that  the  Health  Quality  Council 
of  Alberta  provide  guidance  on  the  use  of  legal 
assistance  when  conducting  investigations. 


Our  audit  findings 

HQCA  has  developed  a  new  policy  entitled  Review 
Role  of  the  Health  Quality  Council  of  Alberta 
Respecting  Patient  Safety  and  Health  Service 
Quality.  This  policy  provides  guidance  on  the  use 
of  legal  assistance  for  matters  relating  to  potential 
misconduct  or  illegal  activity. 
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Summary 


What  we  examined 

In  2005,  we  audited  systems  that  the  Departments 
of  Seniors  and  Community  Supports,  and  Health 
and  Wellness  used  to  deliver: 

services  in  long-term  care  facilities 

the  Seniors  Lodge  Program 

the  Alberta  Seniors  Benefit  Program 

(ASB  Program) 

In  this  report,  we  follow  up  the  two 

recommendations  specific  to  the  ASB  Program. 

We  recommended  that  the  Department 

of  Seniors  and  Community  Supports: 

improve  the  measures  it  uses  to  assess 

whether  the  program  is  meeting  the 

Department's  objectives 

obtain  further  information  to  support  income 

threshold,  cash  benefit  and  supplementary 

accommodation  benefit  decisions  for  the 

program 

Two  recommendations  remain  outstanding.  See 
outstanding  recommendations  on  pages  219 
and  224. 

Why  this  is  important  to  Albertans 

Albertans  want  to  be  assured  that  seniors  in 
financial  need  have  access  to  sufficient  assistance 
to  support  their  well-being. 

What  we  found 

The  Department  has  fully  implemented  both 

recommendations  by: 

using  income-based  measures  to  assess  if 
Program  objectives  are  being  met 
obtaining  additional,  relevant  information 
for  determining  needs  and  setting  income 
thresholds  and  benefit  levels 


Audit  objectives  and  scope 


Our  objective  was  to  determine  if  the  Department  of 
Seniors  and  Community  Supports  has  implemented 
the  two  ASB  Program  recommendations  from  our 
May  2005  Report  on  Seniors  Care  and  Programs 
(pages  55-56). 

We  focused  on  the  Department's  actions  since 
our  2005  report.  We  conducted  our  field  work  in 
May  2010. 


Overview 


The  Department  administers  a  provincially  funded 
income-based  program  that  provides  cash  benefits 
to  lower-income  seniors.  The  Alberta  Seniors 
Benefit  program  supplements  the  income  seniors 
receive  from  federal  benefit  plans  such  as  Old 
Age  Security  (OAS)  and  the  Guaranteed  Income 
Supplement  (GIS).  Seniors  are  eligible  to  receive 
maximum  ASB  benefits  if  they  are  over  65  and 
receive  the  full  amount  of  OAS  benefit.  Seniors 
who  receive  additional  income,  such  as  from  the 
Canada  Pension  Plan,  are  eligible  to  receive  ASB, 
but  at  a  reduced  rate. 

ASB  is  one  of  several  assistance  programs  the 
Department  manages.  It  is  intended  to  help  seniors 
pay  for  the  necessities  of  life.  Eligible  low-income 
seniors  in  financial  distress  may  also  receive 
assistance  for  allowable  expenses,  up  to  $5,000 
per  year,1  from  the  Special  Needs  Assistance 
Program.  Seniors  may  also  be  eligible  to  receive 
benefits  under  dental  and  optical  assistance  plans. 

The  Minister  of  Seniors  and  Community  Supports 
formed  the  Demographic  Planning  Commission  and 


1      Special  Needs  Assistance  provides  benefits  for  seniors 
experiencing  difficulty  in  paying  one-time  extraordinary 
expenses  see  http://www.seniors.gov.ab.ca/financial_ 
assistance/specialneeds/  for  more  information. 
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asked  it  to  develop  a  policy  framework  for  an  aging 
population.  The  Commission  provides  information2 
about  issues  that  seniors  might  face  and  the  role 
of  government,  communities  and  individuals  in 
supporting  the  future  needs  of  seniors. 

The  amount  of  ASB  seniors  receive  depends  on  a 
number  of  factors  including  income,  marital  status 
and  residence.  The  lower  a  senior's  income,  the 
higher  their  ASB  will  be,  up  to  an  established 
maximum.  The  maximum  benefits  for  2010  for 
ASB,3  OAS  and  GIS4  are  as  follows: 


Single 

Home  Owner, 
Renter, 
Lodge 
Resident 

Long-term 
Care  Resident 

Other 
(living  with 
family) 

OAS 

$6,227 

$6,227 

$6,227 

GIS 

7,854 

7,854 

7,854 

ASB 

3,360 

10,080 

2,340 

Total 

$17,441 

$24,161 

$16,421 

Table  1:  Maximum  Benefits — Single  Seniors 


Married  Couple 

Home  Owner, 
Renter, 
Lodge 
Resident 

Long-term 
Care  Resident 

Other 
(living  with 
family) 

OAS 

$12,454 

$12,454 

$12,454 

GIS 

10,372 

10,372 

10,372 

ASB 

5,040 

13,440 

4,680 

Total 

$27,866 

$36,266 

$27,506 

Table  2:  Maximum  Benefits — Married  Seniors 


In  2008-2009,  the  Department  reported  that 
approximately  138,000  of  Alberta's  382,000  seniors 
received  monthly  cash  benefits  from  the  ASB 
Program,  averaging  $147  per  household.5  The  total 
ASB  paid  to  seniors  for  the  2008-2009  fiscal  year 
was  $255,623,000. 

2  See  http://www.seniors.alberta.ca/seniors/tomorrow/ 
FindingsReport.pdf  for  the  full  Demographic  Planning 
Commission  Report. 

3  For  current  ASB  benefits  see  http://www.seniors.alberta.ca/ 
financial_assistance/forms/SFAInfoBooklet.pdf 

4  For  current  OAS  and  GIS  benefits  see  http://www. 
servicecanada.gc.ca/eng/isp/oas/tabrates/tabmain.shtml 

5  Alberta  Seniors  and  Community  Supports  2008-2009 
Annual  Report,  page  25. 
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Findings  and  recommendations 


Improve  measures — implemented 
Background 

In  our  October  2005  Report  (page  68),  we 
recommended  that  the  Department  improve  the 
measures  it  uses  to  assess  whether  it  is  meeting 
the  objective  of  the  ASB  Program. 

The  Department's  objective  for  the  ASB  Program 
is  to  provide  financial  support  to  seniors  in  need 
so  they  can  secure  their  basic  living  needs  and 
maintain  their  independence.  The  Department 
views  ASB  as  a  supplement  to  federal  benefits,  not 
as  a  program  designed  to  meet  all  seniors'  financial 
needs. 

The  ASB  Program  assesses  an  individual  senior's 
income  when  determining  need.  ASB  income 
thresholds  are  at  levels  that  the  Department 
concludes  seniors  will  have  enough  income  to  live 
in  a  secure  and  dignified  way. 

In  2005,  we  found  the  Department  used  two 
externally  reported  performance  measures  to 
evaluate  whether  it  was  achieving  its  goals  for  the 
ASB  Program: 

percentage  of  eligible  seniors  provided  with 
the  opportunity  to  apply  for  the  Alberta  Seniors 
Benefit 

the  satisfaction  of  seniors  with  information 
provided 

Neither  of  these  measures  gave  the  Department 
information  about  whether  the  program  was 
meeting  its  objective. 


Our  audit  findings 

The  Department  has  implemented  this 
recommendation.  It  uses  income-based 
external  and  internal  reporting  measures,  which 
are  appropriate  assessment  tools  given  the 
Department's  use  of  income  level  to  determine 
need. 
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For  its  externally  reported  performance  measure 
for  the  ASB  Program,  the  Department  now  uses 
a  comparison  of  the  difference  between  Alberta 
seniors'  average  total  income  and  the  equivalent 
national  seniors'  average.6  The  Department  reports 
that  since  2001  Alberta  seniors  have  had  higher 
total  incomes  than  Canadian  seniors.  The  average 
income  of  Alberta  seniors  is  above  the  ASB  income 
threshold. 

For  internal  purposes,  the  Department  uses  Low 
Income  Cut  Offs  (LICO)  as  one  measure  to  help 
identify  individuals  or  households  who  may  be 
more  financially  vulnerable  compared  to  others. 
LICO  is  a  measure  developed  by  Statistics  Canada 
to  describe  an  income  level  below  which  a  family 
spends  significantly  more  of  its  income  on  the 
necessities  of  life  than  an  average  family.  LICO  is 
developed  by  analyzing  family  expenditure  data 
and  then  determining  the  income  level  at  which  a 
family  spends  a  significantly  larger  portion  (20%) 
of  its  income  on  the  necessities  of  life.  LICO  is  a 
relative,  rather  than  an  absolute,  measure  of  need. 

The  Department  commissioned  research  by 
members  of  the  Faculty  of  Social  Work  at  the 
University  of  Calgary  and  the  Department  of 
Ecology  at  the  University  of  Alberta  to  study  the 
financial  characteristics  and  economic  needs  of 
seniors  in  Alberta  using  the  LICO  concept  and 
Statistics  Canada  data  for  Alberta.  The  study, 
completed  in  2009,  found  that  the  majority  of 
seniors  in  Alberta  reported  income  above  the  LICO, 
and  that  the  income  cut-off  thresholds  for  the  ASB 
Program  were  higher  than  LICO.  In  other  words, 
the  ASB  income  thresholds  have  been  set  at  levels 
that  support  seniors  in  need  of  financial  support. 

Improve  data — implemented 
Background 

In  our  October  2005  Report  (no.  13 — page  69),  we 
recommended  that  the  Department  obtain  further 
information  necessary  to  make  income  threshold, 


cash  benefit  and  supplementary  accommodation 
benefit  decisions  for  the  ASB  Program. 

The  Department's  Seniors  Services  Division 
regularly  analyzes  data  from  a  variety  of  sources. 
Its  policy  and  planning  group  obtains  data  from 
sources  such  as  Statistics  Canada's  surveys  of 
household  expenditures  and  Canada  Revenue 
Agency  data  of  seniors'  incomes,  which  is  analyzed 
by  income  type  and  age  group.7  This  group  also 
monitors  activity  on  seniors'  issues  in  other  parts 
of  the  country  and  the  world  and  prepares  monthly 
environmental  scans.  The  project  and  information 
management  area  collects  internal  data,  such 
as  information  from  seniors'  financial  assistance 
program  applications,  and  uses  it  to  produce 
monthly  summary  reports. 

Management  uses  these  reports  to  assess  whether 
ASB  income  thresholds  and  cash  benefits  provide 
an  adequate  level  of  assistance  based  on  analysis 
of  Alberta  seniors'  income  levels  and  average 
expenditures.  It  then  makes  recommendations  to 
the  Minister  of  Seniors  and  Community  Supports 
about  changes  to  ASB  Program  benefit  levels. 

Our  audit  findings 

The  Department  has  implemented  this 
recommendation.  It  now  obtains  and  uses 
additional  information  to  determine'  financial  need 
when  making  decisions  on  ASB  Program  benefits 
and  income  thresholds. 

The  Department's  sources  of  information  include: 
an  inter-provincial  comparison  of  seniors' 
benefit  programs  and  tax  incentives — 
Comparisons  include  maximum  monthly 
income  support,  maximum  income  level 
cut-offs  and  a  variety  of  other  financial  support 
programs.  This  information  is  updated  annually 
by  the  Department's  policy  and  planning  group, 
a  study  using  the  LICO  concept — In  order  for 
this  study  to  remain  relevant,  the  Department 


6     Alberta  Seniors  and  Community  Supports  2008-2009 
Annual  Report,  page  28 


7     For  additional  information  on  seniors  income  and  expense 
information  see  A  Profile  of  Alberta  Seniors  at  http://www. 
seniors. alberta. ca/policy_planning/factsheet_seniors/ 
factsheet-seniors.pdf 
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must  use  updated  source  data  as  it  becomes 
available  to  re-calculate  the  results. 

We  verified  that  the  Department  used  this 
information  to  support  its  recommendations  to  the 
Minister  for  changes  to  ASB  benefits  and  income 
thresholds. 

The  Department  also  monitors  changes  to  federal 
benefit  programs  that  may  affect  ASB  payments. 
For  example,  a  recent  increase  in  Canada  Pension 
Plan  benefits  would  have  resulted  in  a  reduction 
of  ASB  for  approximately  35,000  seniors  whose 
incomes  were  at  the  existing  maximum  income 
cut-offs.  The  Department  recommended  that 
maximum  income  thresholds  increase  so  that  the 
CPP  increase  would  not  result  in  the  "claw  back" 
of  ASB  benefits.  An  amendment  to  the  Seniors 
Benefit  Act  General  Regulation,  made  through  an 
Order  in  Council8,  in  June  2010,  increased  the  ASB 
Program  thresholds  effective  July  2010. 


8      O.P.  173/2010 
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Summary 


The  Government  of  Alberta  uses  a  variety  of 
information  technology  systems  to  provide 
programs  and  services,  and  host  and  process 
personal  information.  Service  Alberta  is  responsible 
for  the  security  of  the  government's  IT  systems. 

We  made  12  recommendations  to  Service  Alberta 
in  our  April  and  October  2008  reports  on  developing 
and  implementing  an  IT  control  framework  and 
three  areas  of  IT  security: 

secure  development,  operation  and  use  of  web 

applications 

security  of  wireless  access  to  systems 
physical  security  and  environmental  protection 
of  data  in  data  facilities 

Service  Alberta  has  implemented  two  of  these 
recommendations  and  made  satisfactory  progress 
toward  implementing  a  further  nine.  We  have 
repeated  one  recommendation  from  our  original 
report. 

What  we  did 

In  this  follow-up  audit,  we  assessed  Service 

Alberta's  progress  to: 

develop  and  implement  an  IT  control  framework 
and  help  others  communicate  and  use  it 
develop  and  implement  IT  security  policies, 
procedures  and  standards  for  web  application, 
physical,  and  wireless  security 
ensure  IT  security  policies,  procedures 
and  standards  are  followed  throughout  the 
government 

Why  this  is  important  to  Albertans 

Albertans  need  to  know  that  the  IT  systems  the 
government  uses  are  secure  and  are  available 
when  needed. 


and  control  framework  in  2008.  Although  the 
project  did  not  meet  its  original  timeline,  work  is 
progressing  and  Service  Alberta,  along  with  the 
Chief  Information  Officer  Council,  is  developing 
new  timelines,  taking  into  account  the  availability  of 
resources. 

Service  Alberta  developed,  approved  and 
communicated  10  IT  security  directives  that 
include  policies,  procedures,  and  standards. 
Service  Alberta  also  worked  with  the  Ministry  of 
Infrastructure  to  develop  and  implement  security 
standards  for  shared  data  facilities  that  store  the 
government's  information  systems  and  data. 

However,  Service  Alberta  cannot  yet  demonstrate 
that  government  departments  have  implemented 
and  are  consistently  following  these  security 
policies,  procedures  and  standards. 

What  needs  to  be  done 

To  ensure  that  government  IT  systems  are  secure 
and  available  when  needed,  Service  Alberta  needs 
to: 

complete  the  development  and  implementation 
of  a  government  wide  IT  governance  and 
control  framework 

ensure  that  the  ten  IT  security  directives 
are  consistently  followed  by  government 
departments 

Background 

The  Government  of  Alberta  creates,  uses  and 
manages  large  volumes  of  highly  sensitive  and 
confidential  information.  This  includes  corporate 
financial  data,  ministry-specific  business 
information  and  personal  data  about  Albertans  (for 
example,  health  care  records  and  driver's  licence 
data).  The  government  has  a  responsibility  under 
privacy  legislation  to  safeguard  this  information. 


What  we  found 

Service  Alberta  worked  with  other  ministries, 
through  the  Chief  Information  Officer  Council, 
to  start  the  development  of  an  IT  governance 


This  information  is  created  on  thousands  of  devices 
and  is  processed  and  hosted  in  electronic  form  on 
servers  within  ministries  or  at  shared  data  centres 
throughout  the  province.  This  data,  and  the  devices 
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on  which  it  is  created,  processed  and  stored,  is 
collectively  known  as  "information  assets." 

An  effective  IT  control  framework  and 
well-designed  IT  security  controls  can  help  protect 
these  information  assets  from  loss,  misuse  or 
theft.  Service  Alberta  has  the  authority  to  develop, 
communicate,  implement,  monitor  and  enforce  a 
standardized  IT  control  framework  and  government 
security  policies  and  standards. 

IT  control  framework 
IT  control  frameworks  help  organizations  use 
IT  systems  for  the  greatest  benefit  and  with  the 
least  risk.  An  IT  control  framework,  properly 
implemented,  can  align  business  requirements, 
resolve  technical  issues,  and  identify  risks  and 
controls  to  reduce  risks. 

In  our  April  2008  Report  (page  170),  we  reported 
on  our  systems  audit  of  the  government's 
IT  governance  and  control  frameworks  and 
standards.  Our  initial  objective  was  to  evaluate 
whether  departments  properly  identify  risks  and  use 
an  IT  control  framework  to  develop  well-designed 
controls  to  mitigate  them.  We  recommended  that 
Service  Alberta  work  with  all  ministries  through  the 
Chief  Information  Officer  Council,  to  develop  and 
promote: 

a  comprehensive  IT  control  framework 
guidance  to  implement  well-designed  and 
cost-effective  IT  control  processes  and 
activities 

Service  Alberta  and  the  CIO  Council  agreed  that 
collaboration  with  each  ministry  was  needed,  to: 
develop  a  common  IT  control  framework  and 
IT  control  process  standards 
manage  changes  to  the  IT  control  framework 
communicate  changes  in  the  IT  control 
framework  to  ministries  and  other  government 
entities 

educate  staff  on  implementing  and  consistently 
following  the  framework 

Service  Alberta  and  the  CIO  Council  planned 
to  develop  these  systems  and  processes  by 
March  2009,  with  full  implementation  of  this 
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recommendation  in  2010-2011.  Service  Alberta 
started  an  IT  governance  task  force's  charter  in 
October  2008,  and  prepared  a  draft  information 
management  technology  control  framework 
overview  and  plan  in  October  2009,  but  did  not 
meet  the  original  implementation  timeline.  Revised 
completion  dates,  taking  into  consideration  the 
availability  of  resources,  are  currently  being 
prepared. 

IT  security  controls 

In  our  October  2008  Report  (pages  53-91 ),  we 
reported  on  an  audit  of  systems  the  government 
uses  to  protect  information  assets.  Our  objective 
was  to  investigate  whether  the  government  had 
effective  standards  and  procedures  to  protect  its 
information.  We  examined  policies,  procedures 
and  IT  controls  used  by  ministries,  and  looked 
at  Service  Alberta's  role  in  developing  and 
promoting  IT  controls  to  ministries.  We  made  one 
recommendation  to  Executive  Council,  eight  to 
Service  Alberta  and  two  jointly  to  Service  Alberta 
and  the  Ministry  of  Infrastructure. 

The  October  2008  audit  consisted  of  three  separate 

but  related  systems  audits: 

a  web  application  that  retrieves  data  from  a 

server  in  response  to  requests  received  from 

an  internet-facing  application  {Web  Application 

and  Network  Security  Audit) 

a  wireless  connection  that  allows  access  to  a 

network  on  which  the  server  resides  (Wireless 

Access  Point  Security  Audit) 

direct  physical  access  or  connection  with  the 

server  {Protection  of  Data  Facilities  Audit) 

It  is  possible  to  use  any  of  these  methods  to 
access  government  information  assets.  Each  of 
these  areas  of  security  depends  on  the  other  two. 
Without  adequate  protection  in  all  three  areas, 
attackers  can  focus  on  the  path  of  least  resistance 
(i.e.,  the  area  with  the  weakest  controls)  to  gain 
unauthorized  entry  to  the  system.  We  concluded 
that  the  government's  policies,  procedures  and 
standards  to  protect  information  assets  were  weak. 

In  2008,  we  reviewed  three  sets  of  access  controls: 
one  for  each  of  three  ways  to  access  data.  For 
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each  one,  we  found  a  lack  of  adequate  monitoring 
and  detection  of  risk  or  threats.  The  overall  security 
risks  are  magnified  when  these  risks  combine.  The 
most  worrisome  conclusion  from  our  work  was 
that  no  single  government  functional  area  had  the 
authority  and  responsibility  to: 

design  security  for  the  government  as  a  whole 
evaluate  the  effects  of  weak  security  in  one 
part  of  the  government  and  its  impact  on  the 
rest 

detect  attempted  intrusions  and  respond 
to  potential  security  threats  across  the 
government 

continually  monitor  the  government's  systems 
for  threats  and  vulnerabilities,  and  develop 
remediation  plans 

enforce  the  solutions  required  to  keep  the 
government's  information  assets  secure 

During  our  Protection  of  Information  Assets  Audit 
in  October  2008,  it  became  clear  that  the  IT  control 
framework  recommendation  we  made  in  April  2008 
needs  to  be  implemented  for  Service  Alberta  to 
also  implement  our  new  recommendations.  We 
continued  to  identify  areas  where  there  were 
insufficient  security  standards  or  directives  from 
Service  Alberta  for  other  ministries  to  follow.  In  the 
absence  of  government  wide  policies,  procedures, 
and  standards,  ministries  did  what  they  could  or 
thought  was  adequate — often  to  the  detriment 
of  secured  information  assets.  This  put  the 
government's  ability  to  securely  offer  programs  and 
services  when  needed  at  risk. 


Audit  scope  and  objective 


The  scope  of  this  audit  was  to  assess  and  report 
on  Service  Alberta's  progress  with  implementing 
twelve  recommendations  from  two  previous  audits. 
These  recommendations  focused  on: 

IT  Control  Framework — our  April  2008  Report 
Protection  of  information  assets — our 
October  2008  Report 

Our  objective  was  to  assess  if  the  progress 
made  implementing  the  twelve  recommendations 
was  reasonable  and  satisfactory  and  what — if 
anything — is  still  needed  to  fully  implement  them. 


Criteria  and  approach 

In  our  follow-up  audit,  we  concluded  that  the  criteria 
from  our  2008  audits  are  still  valid. 

We  considered  Service  Alberta  responsible  for 
implementing  all  recommendations  from  both 
audits,  because  Executive  Council  stated  that 
Service  Alberta  has  the  authority  to  develop, 
implement,  and  enforce  security  policies  throughout 
the  government. 

We  surveyed  a  selection  of  departments  to 
assess  Service  Alberta's  ability  to  develop, 
communicate,  implement,  monitor  and  enforce 
information  security  policies  and  standards.  We 
also  assessed  Service  Alberta's  ability  to  promote 
and  offer  guidance  to  departments  to  implement 
the  Information  Security  Management  ten  directives 
and  other  security  policies  and  standards. 


Findings  and  recommendations 


Recommendation  from  our 
April  2008  Report 

IT  control  framework — satisfactory 
progress 

In  our  April  2008  Report  (no.  7 — page  1 70),  we 

recommended  that  the  Ministry  of  Service  Alberta. 

in  conjunction  with  all  ministries  and  through  CIO 

Council,  develop  and  promote: 

a  comprehensive  IT  control  framework,  and 
accompanying  implementation  guidance,  and 
well-designed  and  cost-effective  IT  control 
processes  and  activities 


Background 

In  his  response  to  our  recommendations  the 
President  of  the  Treasury  Board  wrote: 

Tfte  Ministry  of  Service  Alberta  will  customize 
the  comprehensive  IT  control  framework 
to  meet  common  government  of  Alberta 
requirements  and  specific  departmental  needs. 

Through  a  collaborative  process  with 
each  Ministry,  the  department  expects  the 
framework  to  be  developed  in  2008-2009; 
full  implementation  of  this  recommendation  is 
expected  in  2010-2011. 
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Service  Alberta's  response  to  our  recommendation 
and  in  a  subsequent  presentation  to  the 
CIO  Council  indicated  that: 

Service  Alberta  is  supportive  and  committed 
to  work  in  conjunction  with  all  ministries  and 
through  CIO  Council,  to  develop  and  promote 
a  comprehensive  IT  control  framework,  and 
accompanying  implementation  guidance,  and 
well-designed  and  cost-effective  IT  control 
processes  and  activities. 
The  comprehensive  IT  control  framework 
customized  to  meet  common  GoA  and  specific 
departmental  needs  will  be  developed  in 
2008-2009. 

In  terms  of  implementation,  it  is  anticipated 
to  launch  in  the  latter  part  2008-2009  and 
continue  over  2009-2010  and  2010-2011 
as  the  departments  will  likely  have  individual 
implementation  plans  and  associated  timelines 
integrated  into  their  respective  business  plans. 


Our  audit  findings 

Service  Alberta  agreed  with  our  initial 
recommendation  and  with  other  ministries  and 
through  the  CIO  Council  agreed  that  additional 
governance  and  control  was  needed.  Service 
Alberta  initiated  a  project  through  the  CIO  Council 
to  develop  an  IT  governance  and  control 
framework.  The  project  is  underway  and  scheduled 
to  be  completed  in  2011-2012. 

We  requested  all  documentation  and  work 
completed  by  Service  Alberta  and  the  CIO  Council 
on  this  recommendation.  We  were  given  access 
to  the  Service  Alberta  IT  governance  and  control 
protected  website.  From  this  website  we  obtained 
and  reviewed  the  following  documents: 
IMT  Governance  Task  Force  Charter- 
January  23,  2009. 

GoA  IMT  Control  Framework  Presentation — 
August  2009 

IMT  Control  Framework  Overview  and  Plan — 
October  2009 

IMT  Strategic  Planning  Control  practices — 
October  2009 

IMT  Control  Management  Matrix — 
June  15,  2010 


Through  review  of  the  documentation  obtained  on 

the  website  we  determined  that: 

Service  Alberta  and  the  CIO  Council  initiated 
a  task  force  to  develop  and  implement  an 
IT  governance  and  control  framework 
Service  Alberta  and  the  CIO  Council  adopted  a 
control  framework  based  on  COBIT 
the  work  by  Service  Alberta  and  the 
CIO  Council  developed: 

an  initial  IMT  Control  Framework  Plan  on 
October  19,  2009 

IMT  Control  Management  Matrix  on 
June  15,  2010 

Through  further  review  of  documentation  obtained 
directly  from  Service  Alberta  and  on  the  website, 
we  were  able  to  determine  that  progress  on  the 
IT  Governance  and  Control  framework  continues. 

Examples  of  progress  on  the  Framework  include: 
Two  of  the  three  initial  project  task  forces 
completed  their  work  on  directives — Strategic 
Planning  and  Project  Management — that  are 
now  approved  and  part  of  the  Framework.  The 
directive  on  governance  remains  outstanding. 
The  CIO  Council  was  presented  with  the  latest 
version  of  the  Framework  for  consultation  and 
feedback  on  July  22,  2010. 
Minutes  of  the  meeting  demonstrate  that 
CIO  Council  was  asked  to  determine  which 
directives  should  be  started  next,  based  on  risk 
and  available  resources: 

It  is  not  currently  known  what  parts  of  the 
Framework  will  need  a  directive  or  how 
many  directives  will  eventually  be  required 
to  support  the  Framework.  The  number 
of  directives  required  will  be  worked  out 
through  the  three  phases  of  completing  the 
Framework. 

Although  work  continues  on  the  Framework, 
Service  Alberta  and  the  CIO  Council  have  not  yet 
finished  the  development  and  implementation  of: 
a  comprehensive  IT  control  framework,  and 
accompanying  implementation  guidance 
well-designed  and  cost-effective  IT  control 
processes  and  activities 
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To  fully  implement  this  recommendation  Service 
Alberta  must  demonstrate  that  it  has  completed: 
development  and  communication  of  a 
comprehensive  IT  governance  and  control 
framework  to  all  government  departments 
provision  of  adequate  guidance  to  departments 
to  implement  an  IT  control  framework 
development  and  communication  of 
well-designed  and  cost  effective  controls 
for  departments  to  use  to  mitigate  risks  and 
achieve  goals  and  objectives 

We  asked  Service  Alberta  to  provide  us  with  their 
update  project  plan  and  timelines  to  complete 
the  implementation  of  this  recommendation  by 
August  31,  2010. 

Recommendations  from  our 
October  2008  Report 

Central  security  office — satisfactory 

progress 

Background 

In  our  October  2008  Report  (no.  4 — page  53),  we 
recommended  that  Executive  Council  immediately 
establish  a  central  security  office  to  oversee 
(develop,  communicate,  implement,  monitor  and 
enforce)  all  aspects  of  information  security  for 
organizations  using  the  government's  shared 
information  technology  infrastructure. 


Our  audit  findings 

Service  Alberta  implemented  a  Corporate 
Information  Security  Office  (CISO)  and  an 
Executive  Director  was  appointed  in  June  2009. 
The  Executive  Director  reports  to  the  Corporate 
Chief  Information  Officer  (CCIO)  for  the  province 
of  Alberta  and  is  responsible  for  all  aspects  of 
information  and  information  technology  security 
pursuant  to  the  Service  Alberta  Minister's 
April  3,  2009  mandate  letter. 

Executive  Council  also  confirmed  that  Service 
Alberta  has  the  authority  and  responsibility  to 
develop,  implement,  communicate,  and  enforce 


security  policies  and  standards  throughout  the 
government. 

The  CISO  developed  and  communicated  ten 
information  security  management  directives. 
These  ten  directives  were  approved  by  the 
CCIO  on  February  5,  2010.  Through  review  of 
these  documents  we  confirmed  that  the  CISO 
successfully  developed  and  implemented  adequate 
security  policies,  procedures,  and  standards  that 
would  reasonably  protect  government  information 
assets  if  properly  implemented  and  consistently 
followed. 

We  also  obtained  sufficient  evidence  demonstrating 
that  Service  Alberta  communicated  and  explained 
the  security  directives  through  the  CIO  Council  and 
other  forums  throughout  the  government. 

However,  we  were  unable  to  obtain  sufficient 
evidence  that: 

departments  implemented  the  security 

directives 

Service  Alberta  monitors  and  ensures  that  the 
security  directives  are  consistently  followed 
Service  Alberta  can  enforce  compliance  with 
the  security  directives 

To  fully  implement  this  recommendation  Service 

Alberta  must  demonstrate  that  it: 

communicates  and  provides  guidance  when 
required  to  departments  to  understand  and 
implement  the  security  directives 
monitors  or  assesses  departments  for 
compliance  with  the  security  directives 
monitors  the  government's  shared 
infrastructure  to  ensure  that  devices  meet  the 
standards  set  in  the  security  directives 
enforces  the  security  standards  in  the  security 
directives  by  ensuring  devices  in  the  shared 
computing  environment  meet  the  standards, 
subject  to  a  documented  and  approved 
Exceptions  Process  where  a  Deputy  Minister 
completes  a  risk  assessment  and  accepts  the 
risk  that  a  device  does  not  meet  the  security 
standard 
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Web  application  standards  and 
policies — implemented 
Background 

In  our  October  2008  Report  (page  64),  we 
recommended  that  Service  Alberta,  in  conjunction 
with  all  ministries  and  through  the  Chief  Information 
Officer  (CIO)  Council,  develop  and  maintain 
detailed  policies,  procedures,  and  standards  to 
build  and  operate  secure  web  applications. 


Our  audit  findings 

We  obtained  and  reviewed  Service  Alberta's 
Security  Directive  #7 — Information  Technology 
Acquisitions,  Development  and  Maintenance.  This 
directive  identifies  the  requirements  for  securely 
developing  and  deploying  applications — including 
web  applications — throughout  the  government. 

Through  our  review  of  the  directive  we  confirmed 
that  Service  Alberta  developed  policies,  procedures 
and  standards  to  build  and  operate  secure  web 
applications.  We  also  confirmed  through  review 
of  other  documentation  and  through  inquiry  with 
departments  during  our  annual  general  computer 
control  reviews,  that  Service  Alberta  sufficiently 
promoted  these  policies,  procedures  and  standards 
to  departments  through  the  CIO  Council  or  other 
means. 

Although  we  consider  this  recommendation 
implemented,  we  will  assess  in  future  audits  that 
Service  Alberta  ensures  their  security  directives, 
including  Directive  #7,  are  reviewed,  regularly 
updated  and  that  the  changes  are  communicated 
when  needed. 

Develop  standards  and  policies  to 
ensure  web  applications  are  built  to 
required  standards — recommendation 
repeated 

In  our  October  2008  Report  (no.  5 — page  66),  we 
recommended  that  Service  Alberta  develop  and 
implement  controls  to  ensure  government  web 
applications  are  safe. 


Recommendation:  web  application 
controls 


RECOMMENDATION  NO.  7— REPEATED 


We  again  recommend  that  Service  Alberta, 
in  conjunction  with  all  ministries  and  through 
the  Chief  Information  Officer  Council,  develop 
and  implement  well  designed  and  effective 
controls  to  ensure  all  Government  of  Alberta 
web  applications  consistently  meet  all  security 
standards  and  requirements. 

Criteria:  the  standards  for  our  audit 

Service  Alberta,  in  conjunction  with  ministries 
and  through  the  CIO  Council,  should  have  well 
designed  and  effective  control  processes  to: 
review  the  security  of  all  web  applications 
on  the  government's  shared  computing 
infrastructure 

ensure  web  applications  consistently  meet  all 
security  standards  and  requirements 


Our  audit  findings 


Key  Point 


No  evidence  of  monitoring  for  compliance  to 
Security  Directives 

We  obtained  and  reviewed  Service  Alberta's 
Security  Directive  #7 — Information  Technology 
Acquisitions,  Development  and  Maintenance.  This 
directive  identifies  the  requirements  for  securely 
developing  and  operating  applications — including 
web  applications — throughout  the  government. 

We  also  obtained  and  reviewed  Directive  #10 — 
Compliance.  Through  review  of  this  directive  we 
confirmed  that  section  3.2  requires: 

Ministry  Deputy  Heads  to  monitor  for 
compliance  with  mandatory  Information 
Security  management  policy  instruments  and 
to  report  the  results  to  the  Corporate  Chief 
Information  Officer. 

Information  systems  to  be  regularly  checked  for 
compliance  with  mandatory  information  security 
management  policy  instruments. 
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However,  Service  Alberta  was  unable  to 
demonstrate  it: 

developed  and  implemented  procedures  or 
controls  to  review  and  assess  the  security  of 
all  web  applications  using  the  government's 
shared  computing  infrastructure  and  ensure 
they  consistently  meet  security  directive 
standards  and  requirements 
obtained  sufficient  assurance  from  departments 
that  their  web  applications  using  the 
government's  shared  infrastructure  are: 

properly  secured  before  being  implemented 
regularly  assessed  to  ensure  they  are 
updated  and  continually  meet  Service 
Alberta's  security  directive  standards 

To  enable  us  to  conclude  that  Service  Alberta  has 
made  satisfactory  progress  on  implementing  this 
recommendation,  it  would  need  to  demonstrate 
that  it  has  documented  well-designed  controls  that 
ensure  requirements  in  Directive  #7 — Information 
Technology  Acquisitions,  Development  and 
Maintenance  are  consistently  met  and  to: 

review  and  approve  that  new  web  applications 
meet  the  security  directive  standards  before 
being  allowed  into  the  shared  computing 
infrastructure1 

regularly  review  and  ensure  that  all  existing 
web  applications  in  the  shared  computing 
infrastructure  consistently  meet  the  security 
directive  standards 

remove  or  bring  into  compliance  all  web 
applications  in  the  shared  computing 
infrastructure  not  meeting  security  directive 
standards 

To  fully  implement  this  recommendation,  Service 
Alberta  must  demonstrate  that  there  are  effective 
controls  to  ensure  web  application  security 
directives,  policies,  procedures,  and  standards  are 
followed.  For  example  Service  Alberta  must  ensure 
that  it: 

adequately  and  continually  monitors  and 
assesses  the  security  of  all  web  applications 
using  the  government's  shared  computing 
infrastructure 

1      The  shared  computing  infrastructure  is  any  part  of  the 
Government  of  Alberta's  computing  environment  that  is 
hosted  or  administered  by  Service  Alberta. 


takes  action  to  remove  or  secure  web 
applications  that  do  not  meet  the  standards  as 
set  out  in  Directive  #7: 

Exceptions  to  meeting  web  application 
security  directives,  policies,  procedures, 
and  standards  must  be  documented  and 
approved  through  the  Exceptions  Process 
where  a  Deputy  Minister  completes  a  risk 
assessment  and  accepts  the  risk  that  an 
application  does  not  meet  the  security 
standard. 

Shared  network  policies,  procedures 
and  standards — satisfactory  progress 
Background 

In  our  October  2008  Report  (no.  6 — page  68),  we 
recommended  that  Service  Alberta  work  with  all 
ministries  and  through  the  Chief  Information  Officer 
(CIO)  Council,  to  develop  and  implement  security 
policies,  procedures,  standards,  and  well  designed 
control  activities  for  the  Government  of  Alberta's 
shared  computing  network. 


Our  audit  findings 

We  confirmed  that  Service  Alberta's  ten  directives 
were  finalized  on  January  22,  2010,  and 
approved  by  the  Corporate  Chief  Information 
Officer  on  February  5,  2010.  These  directives 
apply  to  all  government  departments.  The  CISO 
also  developed  and  provided  policy  advisory 
guides  to  departments  to  supplement  further 
detail  requirements  set  in  the  security  directives 
to  mitigate  security  risks  in  government  and 
departmental  operating  environments. 

We  reviewed  the  CISO  security  directives  and 
agree  that  if  implemented  and  consistently 
followed,  the  policies,  procedures  and  standards  in 
them  would  reasonably  ensure  the  confidentiality, 
integrity  and  availability  of  government  information 
systems  and  data. 

Security  Directive  #10 — Compliance,  section  3.2 
requires: 

Ministry  Deputy  Heads  to  monitor  for 
compliance  with  mandatory  Information 
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Security  management  policy  instruments  and 
to  report  the  results  to  the  Corporate  Chief 
Information  Officer  (CCIO). 
Information  systems  to  be  regularly  checked  for 
compliance  with  mandatory  information  security 
management  policy  instruments. 

In  response  to  our  recommendations  from 
October  2008,  Executive  Council  determined 
that  Corporate  Internal  Audit  Services  (CIAS)  will 
conduct  periodic  audits  of  Service  Alberta's  security 
systems  and  protocols  once  they  are  developed. 
CIAS  will  also  perform  periodic  audits  of  ministries 
to  give  assurance  that  the  directives  are  being 
implemented. 

We  met  with  representatives  from  CIAS  and 
confirmed  that  they  are  aware  of  their  role 
in  ensuring  compliance  with  the  security 
directives  approved  in  January  2010.  We 
determined  that  CIAS  has  concluded  it  would 
be  appropriate  to  conduct  audits  to  assess  the 
development  or  implementation  and  compliance 
with  Service  Alberta's  ten  security  directives  over  a 
four  to  five  year  cycle,  beginning  in  the  2011-2012 
audit  year.  CIAS  is  currently  in  the  initial  planning 
and  knowledge  gathering  stages  for  this  four  to  five 
year  cycle. 

Some  milestones  for  CIAS  include: 
started  knowledge  gathering  of  the 
requirements  to  assess  the  ITM  security 
directives 

will  finish  the  plans  for  their  security  directives 
assessments/audits  by  June  30,  2011 
these  plans  will  be  based  on  a  risk  assessment 
of  the  ten  security  directives 
will  start  their  assessment  of  ministries  for 
their  implementation  and  compliance  with  the 
security  directives  starting  in  the  2011-2012 
audit  year 

plan  to  assess  all  ministries  for  initial 
implementation  and  compliance  by 
March  31,  2015 

Through  our  assessment,  we  did  not  identify 
current  procedures  or  controls  that  ensure 
government  departments  are  properly 


implementing  the  directives  and  can  demonstrate 
that  they  are  meeting  them. 

To  fully  implement  this  recommendation,  Service 
Alberta  must  demonstrate  that  they  have  adequate 
controls  to  monitor,  assess,  and  ensure  that  the 
security  directives  are  being  implemented  and 
followed  by  government  departments. 

Wireless  policies  and  standards — 
satisfactory  progress 
Background 

In  our  October  2008  Report  (page  75),  we 
recommended  that  the  Ministry  of  Service  Alberta, 
in  conjunction  with  all  ministries  and  through  the 
Chief  Information  Officer  (CIO)  Council,  update  its 
existing  Wireless  LAN  Access  Security  Policy  to 
provide  clearer  guidance  to  ministries  in  deploying 
and  securing  wireless-network-access  points. 

Our  audit  findings 

We  obtained  and  reviewed  Service  Alberta's  ten 
security  directives. 

We  found  that  Directive  #5 — Communications 
and  Operations  Management  references  wireless 
security  requirements.  Specifically,  it  requires  that 
wireless  local  area  networks  include: 

encryption  of  information  transmitted  over  the 

wireless  network 

user  and  device  network  access  controlled  by 
authorized  authentication  services 
network  access  control 

We  also  found  that  Directive  #  6 — Access  Control 
includes  the  requirement  to  scan  for  unauthorized 
network  equipment — including  wireless  access 
points. 

We  were  also  informed  that  the  Government  of 
Alberta  is  including  wireless  technologies  in  its 
upcoming  ICT  Bundle  6  Activities — the  Unified 
Communications  RFP  process.  Bundle  6  will 
encompass  all  communications  across  the 
GoA,  including  the  deployment  and  surveillance 
of  wireless  communications.  The  request  for 
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information  (RFI)  for  this  bundle  was  previously 
posted  on  Alberta  Purchasing  Connect. 

However,  we  did  not  find  sufficient  evidence  to 

demonstrate  that  Service  Alberta  has: 

offered  guidance  to  departments  to  help  them 
deploy  a  secure  wireless  solution 
ensured  that  wireless  solutions  in  use  are 
properly  secured  and  meet  the  requirements  of 
Security  Directive  #6 

defined  what  is  required  to  secure  a  wireless 
wide  area  network — should  one  be  desired  to 
be  implemented 

To  fully  implement  this  recommendation  Service 

Alberta  must  demonstrate  that  it: 

provides  guidance  to  departments  to  deploy  a 
secure  local  area  wireless  network 
ensures  wireless  solutions  meet  Security 
Directive  #6 

has  defined  security  standards  for  a  wireless 
wide  area  network 

Device  configurations — satisfactory 

progress 

Background 

In  our  October  2008  Report  (page  76),  we 
recommended  that  the  Ministry  of  Service  Alberta, 
in  conjunction  with  all  ministries  and  through  the 
Chief  Information  Officer  (CIO)  Council,  review  the 
configuration  of  laptops,  and  approve  policies  to 
prevent  laptops  from  inadvertently  exposing  the 
government  environment. 


Our  audit  findings 

Through  our  review  of  the  security  directives  we 
confirmed  that  the  CISO  developed  and  promoted 
security  requirements  for  portable  computing — 
including  laptops. 

The  CISO  in  Directive  #  6 — Access  Control,  section 

4.7.1  states  that: 

...appropriate  controls  must  be  implemented  to 
mitigate  security  risks  associated  with  the  use 
of  portable  computing  devices  such  as  laptops 
or  personal  digital  assistants. 


Further  4.7.1.1  details  the  implementation 
expectations  for  administrative  safeguards  and 
minimum  technical  standards. 

However,  we  were  unable  to  obtain  sufficient 
evidence  to  demonstrate  that  Service  Alberta  has 
effective  procedures  to  ensure  that  departments 
are  meeting  their  standards. 

To  fully  implement  this  control,  Service  Alberta  must 
demonstrate  that  it  has  an  effective  procedure  to 
ensure  that  departments  and  government  entities 
are  complying  with  the  mobile  computing  standards 
it  defined  and  implemented  in  Security  Directive  #6. 
Service  Alberta  must  also  demonstrate  it  has  an 
effective  procedure  to  obtain  results  of  compliance 
with  this  policy  from  Ministry  Deputy  Heads  as  per 
section  3.2  of  Directive  #  10 — Compliance. 

Ongoing  monitoring  and  surveillance — 

satisfactory  progress 

Background 

In  our  October  2008  Report  (no.  7 — page  77),  we 
recommended  the  Ministry  of  Service  Alberta,  in 
conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  update  network 
surveillance  methods  to  detect  and  investigate  the 
presence  of  unauthorized  wireless  access  points 
within  the  Government  of  Alberta. 


Our  audit  findings 

We  obtained  and  reviewed  Security  Directive 
#6 — Access  Control.  We  confirmed  that  there 
are  defined  requirements  for  information 
custodians  to  restrict  the  ability  of  users  to 
physically  and  logically  connect  to  networks 
according  to  the  access  control  procedures 
defined  by  information  controllers  and  may  include 
scanning  for  unauthorized  network  equipment 
(e.g.,  unauthorized  wireless  access  points  and 
virtual  local  area  networks). 

We  also  confirmed  that  section  3.2  of  Security 
Directive  #10 — Compliance,  also  requires  that 
Ministry  Deputy  Heads  self-report  to  the  CISO  that 
they  are  meeting  the  security  directives. 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


Protecting  Information  Assets — Follow-up 


Through  inquiry,  we  were  informed  of  a  pilot  project 
to  install  Port-Based  Network  Access  Control  that 
is  based  on  the  IEEE  802. 1X  wireless  standard 
by  installing  801. 1X  certificates  on  GoA  client 
machines.  The  pilot  project  is  to  assess  the  ability 
to  successfully  prevent  unauthorized  access 
through  the  use  of  unauthorized  devices  at  the 
physical  layer. 

We  were  also  informed  that  although  there  are 
security  standards  to  prevent  unauthorized  devices, 
Service  Alberta  still  does  not  have  documented 
and  effective  procedures  to  monitor  for  and  prevent 
unauthorized  devices  from  entering  the  computing 
environment. 

To  fully  implement  this  procedure,  Service  Alberta 
must  demonstrate  that  it  has  effective  procedures 
to  monitor  the  government's  IT  networks  to  identify 
unauthorized  devices  and  take  the  necessary  steps 
to  investigate  and  resolve  identified  issues. 

Increasing  collaboration  by  ministries — 

implemented 

Background 

In  our  October  2008  Report  (page  84),  We 
recommended  that  the  Ministry  of  Service 
Alberta  and  the  Ministry  of  Infrastructure  work  in 
conjunction  with  all  ministries  and  through  the  CIO 
Council  to  improve  physical  and  environmental 
security  controls  of  data  facilities  by: 

improving  communication  of  responsibilities 

between  ministries 

establishing  government-wide  minimum 
physical  and  environmental  standards  for  data 
facilities 


Our  audit  findings 

We  obtained  and  reviewed  the: 

Ministry  of  Infrastructure's  defined  and 
approved  physical  and  environmental  security 
standards  for  Alberta's  shared  data  centers 
Service  Alberta's  Security  Directive  #4 — 
Physical  and  Environmental  Security  Directive 


Through  review  of  these  documents  we  determined 
that: 

there  are  now  adequate  standards  for  physical 
and  environmental  security  for  shared  and 
distributed  data  facilities 
if  the  directives,  procedures  and  standards  are 
implemented  and  consistently  followed,  they 
would  reasonably  protect  the  government's 
data  and  systems 

We  also  obtained  documentation  demonstrating 

that  Service  Alberta  and  Infrastructure: 

and  other  departments  are  communicating 
these  standards  and  the  associated  procedures 
have  plans  to  upgrade  data  centers  and  the 
associated  responsibilities  to  ensure  the  new 
standards  are  consistently  met 

Physical  and  environmental  security 

The  next  three  recommendations  are  similar 
in  nature  and  we  used  the  same  or  similar 
documentation  and  evidence  to  confirm  that 
satisfactory  progress  is  being  made.  Therefore, 
we  document  the  individual  recommendations  and 
their  specific  criteria  below  and  the  combined  audit 
findings  we  used  for  all  three. 

Backup  power  supplies — satisfactory 

progress 

Background 

In  our  October  2008  Report  (page  85),  we 
recommended  that  the  Ministry  of  Service  Alberta, 
work  in  conjunction  with  all  ministries  and  through 
the  Chief  Information  Officer  (CIO)  Council,  to 
ensure  that  ministries  that  use  data  facilities 
ensure  that  connected  computer  equipment  has  a 
sufficient  redundant  power  supply. 

Physical  security — satisfactory 

progress  

Background 

In  our  October  2008  Report  (no.  8 — page  87),  we 
recommended  that  the  Ministry  of  Service  Alberta 
work  with  the  Ministry  of  Infrastructure  and  in 
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conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  to  improve: 
physical  security  controls  at  data  facilities 
logging  of  access  to  data  facilities  by 
implementing  effective  controls  to  track  access 

Environmental  security — satisfactory 

progress 

Background 

In  our  October  2008  Report  (page  89),  we 
recommended  that  Ministry  of  Service  Alberta 
work  with  ministries  to  improve  the  environmental 
security  controls  at  shared  data  facilities. 


Our  audit  findings 

For  the  three  preceding  recommendations,  Service 
Alberta  developed  and  implemented  physical  and 
environmental  standards  through  their  security 
directives.  We  reviewed  Directive  #4 — Physical 
and  Environmental  Security.  We  also  reviewed 
the  Ministry  of  Infrastructure's  physical  and 
environmental  security  standards  for  Alberta's 
shared  data  centers. 

Through  review  of  these  documents  we  determined 
that: 

there  are  now  adequate  standards  for  physical 
and  environmental  security  for  shared  and 
distributed  data  facilities 
if  the  directives,  procedures  and  standards  are 
implemented  and  consistently  followed,  they 
would  reasonably  protect  the  government's 
data  and  systems 

We  also  obtained  additional  documentation  from 
the  Ministry  of  Infrastructure.  Through  review 
of  this  documentation  we  determined  that  the 
ministry  hired  a  consultant  to  develop  recognized 
government  standards  for  shared  data  facilities 
based  on  the  size  and  number  of  servers 
accommodated. 

The  consultant  also  prepared  a  gap  analysis  of 
physical  and  environmental  security  needs  for 
server  rooms  and  ranked  their  priority — based  on 
the  risk  to  the  systems  and  available  resources. 


Updates  to  shared  data  facilities  are  now 
ranked  according  to  a  high  medium,  low  or  more 
information  needed  scale.  The  costs  required  to 
bring  the  server  rooms  up  to  the  new  standards 
was  also  determined  for  each  shared  data  facility 
(SDF). 

The  documentation  states  SDFs  will  be  upgraded 
based  on  the  priority  list  and  available  funds  and 
resources.  However,  the  Ministry  of  Infrastructure 
provided  information  that  during  the  past  year,  they 
and  Service  Alberta: 

upgraded  or  provided  back-up  power  to  meet 
the  new  standards  in  31  of  the  41  shared  data 
facilities 

upgraded  the  security  and  other  electrical 
capabilities  in  21  of  the  41  SDFs 
implemented  improvements  to  security, 
back-up  power  and  air  cooling  in  eight 
distributed  server  rooms  managed  by  other 
ministries 

developed  a  3-5  year  plan  to  upgrade  the 
remaining  shared  and  distributed  data  facilities 
on  the  priority  list  pending  availability  of 
resources  and  funding 

We  did  not  perform  additional  audit  testing  to 
confirm  that  these  upgrades  were  implemented. 
When  upgrades  to  all  SDFs  are  finished,  we  will 
select  a  representative  number  of  SDFs,  and 
reassess  all  of  their  physical  and  environmental 
security  controls. 

We  were  unable  to  obtain  sufficient  evidence  to 
demonstrate  that  the  Ministries  and  Infrastructure 
and  Service  Alberta  have  adequate  procedures 
or  requirements  to  ensure  that  physical  and 
environmental  security  alerts  and  issues  are 
properly: 

monitored 

logged 

responded  to 

resolved 

To  fully  implement  these  recommendations.  Service 
Alberta  and  Infrastructure  must  demonstrate  that: 
SDFs  consistently  meet  all  required  physical 
and  environmental  security  standards 
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SDFs  have  adequate  back-up  power,  and 
critical  devices  are  properly  connected  to  that 
source 

SDFs  have  adequate  user  access  controls 
access  to  SDFs  is  logged  and  monitored 
physical  and  environmental  security  alerts  are 
monitored  and  logged  and  are  then  properly 
responded  to  and  resolved 
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Summary 


What  we  examined 

In  2007,  we  audited  systems  the  Department 
of  Treasury  Board  (the  Department)  used  to 
assess  and  prioritize  infrastructure  needs  of 
departments  and  supported  organizations  that 
rely  on  the  Government  for  their  infrastructure 
needs.  We  made  five  recommendations  in  our 
October  2007  Report,  starting  at  page  29.  This 
year,  we  conducted  follow-up  work  to  assess 
the  Department's  progress  in  implementing  the 
recommendations  that  it  should: 

1 .  Finish  developing  the  guidelines  that  define 
the  roles  and  responsibilities  of  government 
departments  and  other  organizations  that  rely 
on  government  funding  for  their  infrastructure 
needs. 

2.  Develop  objectives,  timelines,  and  targets  for 
reducing  deferred  maintenance,  and  include 
information  on  reducing  deferred  maintenance 
in  the  province's  Capital  Plan. 

3.  Require  life-cycle  costing  information  for 
proposed  infrastructure  projects,  and  establish 
a  process  that  enables  public  infrastructure 
assets  to  be  properly  maintained  over  their  life. 

4.  Improve  the  process  to  evaluate  proposed 
infrastructure  projects  that  departments  submit. 

5.  Examine  how  the  information  submitted  to 
Treasury  Board  can  be  improved. 

Why  it  is  important  to  Albertans 

Albertans  depend  on  programs  and  services 
that  rely  on  infrastructure  that  government  owns 
or  funds.  The  province's  highways,  schools, 
hospitals  and  parks  are  built  and  maintained  with 
infrastructure  funding.  Because  the  government 
does  not  have  unlimited  funds,  it  needs  to  make 
choices  about  infrastructure  spending.  Albertans 
need  to  know  that  the  government  has  chosen 
the  infrastructure  to  build  based  on  what  is  most 
important  to  meet  program  needs. 


What  we  found 

The  Department  developed  a  Capital  Planning 
Manual  that  clarified  the  roles  and  responsibilities 
of  all  participants,  and  provided  guidance  on 
the  capital  plan  process.  The  Department  made 
satisfactory  progress  improving  the  process  to 
evaluate  proposed  infrastructure  projects  by 
working  closely  with  the  departments  to  determine 
the  criteria  that  should  be  used  to  rank  projects, 
and  improving  the  process  to  apply  the  criteria 
consistently.  We  cannot  conclude  that  the 
recommendation  is  implemented  because  the 
Department  needs  to  complete  a  capital  planning 
cycle  using  this  process,  and  it  should  develop  an 
information  system  to  better  facilitate  the  capital 
planning  process. 

For  the  2011-2014  and  future  capital  plans,  the 
Department  will  require  departments  to  include 
life-cycle  costs  for  proposed  projects,  including  the 
cost  to  maintain  the  infrastructure  over  its  life.  This 
improvement  will  help  the  government  make  better 
decisions  on  infrastructure,  since  knowing  the  total 
cost  of  infrastructure  over  its  life  is  more  relevant 
than  just  the  initial  purchase  cost. 

However,  the  Department  has  not  made  any 
meaningful  progress  in  establishing  a  process  that 
enables  publicly  funded  infrastructure  assets  to 
be  maintained  over  their  life.  The  Department  has 
made  some  improvements  in  the  quality  of  the 
information  on  the  condition  of  infrastructure,  but  it 
still  doesn't  have  a  plan,  with  timelines  and  targets, 
for  reducing  deferred  maintenance. 

The  Department  still  needs  to  assess  how  the 
current  information  available  for  Treasury  Board  to 
make  funding  decisions  can  be  improved. 

What  remains  to  be  done 

The  Department  still  needs  to  determine  how  best 
to  maintain  existing  infrastructure  over  its  life.  This 
includes  improving  its  processes  so  it  has  good 
information  on: 

the  condition  of  existing  infrastructure 
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the  life-cycle  costs  to  maintain  it  over  its  life, 
and 

the  deferred  maintenance  that,  if  not  corrected, 
impacts  program  and  service  delivery,  future 
maintenance  costs,  or  life  of  the  infrastructure. 

The  Department  needs  to  develop  a  plan,  with 
timelines  and  targets  to  reduce  the  deferred 
maintenance.  It  also  should  include  this  information 
in  the  publicly  reported  capital  plan,  or  some 
other  form  of  public  reporting,  as  this  is  important 
information  to  demonstrate  the  government's 
accountability  for  maintaining  valuable  provincial 
infrastructure. 

The  Department  has  not  yet  completed  its 
examination  of  how  the  information  provided  to 
Treasury  Board  can  be  improved  to  assist  them 
in  making  decisions  on  how  to  allocate  capital 
funding.  Examples  of  factors  that  the  Department 
will  need  to  consider  include: 

how  to  summarize  infrastructure  needs 
between  new  projects  and  maintaining  existing 
assets 

how  to  summarize  information  so  that  decision 
makers  get  an  appropriate  amount  of  detail  on 
proposed  projects 

how  approving  new  infrastructure  will  impact 
future  maintenance  costs,  and  the  impact  in 
terms  of  service  quality  and  overall  costs  of 
maintenance,  if  that  maintenance  is  deferred 
how  to  summarize  key  qualitative  information, 
such  as  health  and  safety  issues 


PROGRAM  DEPARTMENTS 

Departments  are  responsible  for  providing  programs  and 
services.  They  are  responsible  for  identifying  their  infrastructure 
needs  and  submitting  their  requests  to  the  Department  of 
Treasury  Board. 


Audit  objectives  and  scope 


Our  audit  objective 

Our  audit  objective  was  to  determine  if  the 
Department  of  Treasury  Board  has  implemented 
the  five  recommendations  from  our  2007  report  by: 
establishing  guidelines  that  define  the  roles  and 
responsibilities  of  government  departments  and 
other  organizations  that  rely  on  government 
funding  for  their  infrastructure  needs 
developing  objectives,  timelines  and  targets  for 
reducing  deferred  maintenance,  and  including 
information  on  reducing  deferred  maintenance 
in  the  province's  capital  plan 
requiring  life-cycle  costing  for  proposed 
infrastructure  projects,  and  establishing  a 
process  that  enables  public  infrastructure 
assets  to  be  maintained  over  their  life 
improving  the  process  to  evaluate  proposed 
infrastructure  projects  that  departments  submit 
examining  how  the  information  submitted  to 
Treasury  Board  can  be  improved 

Our  scope 

We  limited  our  audit  work  to  the  Department  of 
Treasury  Board's  processes  to  carry  out  their 
responsibilities,  and  focused  on  the  Department's 
actions  since  our  original  audit.  The  following 
chart  summarizes  the  responsibilities  of  the 
government,  the  Department  of  Treasury  Board, 
and  departments.  A  complete  list  of  the  key  players 
and  their  responsibilities  can  be  found  in  the 
appendix — see  page  97. 

DEPARTMENT  OF  INFRASTRUCTURE 

The  Department  of  Infrastructure  maintains  the  information  on 
the  condition  of  schools,  university  and  college  buildings,  health 
facilities  and  government  owned  buildings.  The  Department 
provides  consultation  to  departments  and  supported  infrastructure 
organizations  on  the  technical  aspects  of  infrastructure  development 
and  expected  maintenance  and  renewal  costs. 


DEPARTMENT OFTREASURY  BOARD 

The  Department  of  Treasury  Board  is  responsible 
for  leading  the  government's  capital  plan  process,  developing 

and  managing  the  Capital  Plan,  and  providing  advice  and 
analysis  on  planning,  construction  costs  and  capital  spending. 


r 

GOVERNMENT 

Treasury  Board  Capital 
Planning  Committee 
Treasury  Board 
Caucus 

The  Government  is  responsible 
for  deciding  the  size  of  the  Capital 
Plan,  the  allocation  between 
maintenance  and  new  projects 
and  making  funding  decisions. 

Figure  1 :  Chart  of  the  responsibilities  for  infrastructure  planning 
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We  interviewed  management  and  staff  of  seven  program  departments  that  represented  a  cross-section  of 
infrastructure  needs  to  enable  us  to  assess  the  Department  of  Treasury  Board's  processes: 

Department  of  Health  and  Wellness  for  health  care  facilities 

Department  of  Education  for  schools 

Department  of  Advanced  Education  and  Technology  for  university  and  college  buildings 
Department  of  Transportation  for  roads  and  highways 
Department  of  Infrastructure  for  government  buildings 

Department  of  Environment  for  water  management  infrastructure  such  as  dams 
Department  of  Tourism  Parks  and  Recreation,  for  parks 

We  conducted  our  fieldwork  from  January  to  July,  2010.  As  in  our  2007  audit,  we  did  not  examine  the  process 
to  allocate  infrastructure  grants  to  municipalities.  Our  interviews  with  the  staff  of  the  departments  focused  on 
the  2010-2013  capital  plan  process. 

The  Department  solicited  input  from  departments  on  the  2010-2013  Capital  Plan  process  and  made  changes 
for  the  2011-2014  Capital  Plan.  We  examined  the  Department's  process  to  make  those  changes  through 
document  review  and  discussion  with  the  Department  of  Treasury  Board's  staff. 


2006-2007 
Annual  Report 

Original  Recommendation 

Status  Based  on  Our  2010  Follow-up  audit 

No.  1,  page  39 

Finish  developing  guidelines  that  define  the  roles  and 
responsibilities  of  government  ministries  and  other 
organizations  that  rely  on  government  funding  for  their 
infrastructure  needs. 

Implemented 

No.  2,  page  49 

Develop  objectives,  timelines,  and  targets  for  reducing 
deferred  maintenance  and  include  information  on  reducing 
deferred  maintenance  in  the  province's  Capital  Plan. 

Recommendation  repeated 

No.  3,  page  54 

Require  life-cycle  costing  information  for  proposed 
infrastructure  projects,  and 

Establish  a  process  that  enables  public  infrastructure  assets 
to  be  properly  maintained  over  their  life. 

Satisfactory  progress.  The  Department 
needs  to  complete  the  2011-2014  Capital 
Plan  before  we  can  assess  that  the 
recommendation  is  implemented. 

Recommendation  repeated 

No.  4,  page  57 

Improve  the  process  to  evaluate  proposed  infrastructure 
projects  that  ministries  submit. 

Satisfactory  progress.  The  Department 
needs  to  complete  the  2011-2014  Capital 
Plan  before  we  can  assess  that  the 
recommendation  is  implemented. 

No.  5,  page  59 

Examine  how  the  information  submitted  to  Treasury  Board 
can  be  improved. 

Progress  not  assessed 

Table  1:    Status  of  the  original  recommendations  based  on  our  2010  follow-up  audit 


Findings  and  recommendations 


Roles  and  responsibilities  — 

implemented 

Background 

We  recommended  that  the  Department  of 
Treasury  Board,  working  with  departments,  finish 
developing  the  guidelines  describing  roles  and 
responsibilities  for  assessing  and  prioritizing 
individual  infrastructure  projects.  It  should  then 
have  communicated  the  guidelines  and  developed 
processes  for  monitoring  department's  compliance 
with  the  guidelines. 


Our  audit  findings 


The  Department  of  Treasury  Board  took  the 
following  steps  to  implement  the  recommendation: 
consulted  with  departments  on  the  roles  and 
responsibilities  for  capital  planning  and  the 
process  to  prioritize  projects 
used  the  findings  from  the  consultation  process 
to  draft  Alberta's  Capital  Planning  Manual 
tested  the  process  and  draft  Capital  Planning 
Manual  used  for  the  201 0-201 3  capital  plan 
submissions 

developed  a  pre-screening  process  and 
reviewed  departments'  submissions  for 
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compliance  with  its  requirements,  and 
requested  departments  to  correct  their 
submissions 

consulted  with  departments  on  the  process  and 
manual  to  identify  areas  for  improvement 
established  committees  to  recommend 
solutions  to  the  problems  identified 
recommended  changes  to  the  process  and 
manual  to  a  committee  of  Assistant  Deputy 
Ministers 

incorporated  the  approved  changes  into  the 
process  and  manual  for  the  2011-2014  capital 
plan  submissions 

Deferred  maintenance — 
recommendation  repeated 
Background 

When  maintenance  is  not  done  when  required,  it  is 
referred  to  as  deferred  maintenance.  In  our  October 
2007  Report  (vol.  1 — page  49),  we  reported  that  a 
deferred  maintenance  backlog  had  developed  over 
time  as  a  result  of  not  maintaining  infrastructure. 
The  Financial  Management  Commission  had 
recommended  five  years  earlier,  in  2002,  that 
the  province  develop  a  plan  to  deal  with  deferred 
maintenance  over  the  next  five  years.  Although  the 
government  had  accepted  the  recommendation, 
there  was  still  no  plan  to  deal  with  deferred 
maintenance  when  we  reported  in  2007. 

The  Department's  response  to  our 
recommendation,  and  the  government's  20-Year 
Strategic  Capital  Plan,  announced  in  January  2008, 
was  that  they  believed  that  the  focus  should  have 
been  on  all  maintenance,  whether  deferred  or  not, 
and  that  maintenance  should  be  addressed  on  a 
risk  basis,  with  the  greatest  risk  items  addressed 
first. 

We  agreed  with  the  Department  that  the  focus 
should  be  on  all  maintenance  requirements.  We 
had  recommended  that  the  Department  should 
establish  a  sustainable  process  to  ensure  that 
all  public  infrastructure  assets  are  maintained, 
(see  page  91).  However,  the  backlog  of  deferred 
maintenance  needed  to  be  addressed. 
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Funding  for  capital  maintenance  and  renewal  is 
provided  in  a  variety  of  ways: 

departments  request  funding  for  capital 
maintenance  and  renewal: 

departments  submit  requests  through  the 
annual  capital  planning  process 
departments  submit  requests  to  the 
Department  of  Infrastructure  for  funding 
from  the  Capital  for  Emergent  Programs 
Fund,  for  emergency  funding  between 
capital  planning  cycles 
annual  block  funding  for  capital  maintenance 
is  provided  to  departments  responsible  for 
education,  post-secondary  education  and 
health  care — The  departments  distribute  this 
funding  directly  to  the  supported  organizations, 
capital  maintenance  and  renewal  funding 
for  infrastructure  assets  that  were  procured 
through  long-term  contractual  arrangements 
(public-private-partnership  arrangements — P3) 
is  included  in  the  contract — Eighteen  schools, 
for  example,  were  recently  acquired  under  a  P3 
arrangement.  The  contract  included  30  years  of 
maintenance  and  facility  renewal.1 
funding  for  capital  maintenance  and  renewal 
was  provided  to  departments  and  supported 
organizations,  under  the  Surplus  Allocation 
Policy.  In  Budget  2007,  the  government  had 
established  a  Surplus  Allocation  Policy,  and 
at  least  one-third  of  any  surpluses  were  to  be 
used  for  capital  maintenance  and  renewal. 

Information  on  the  physical  condition  of 

infrastructure  is  stored  in  three  main  information 

management  systems: 

the  Department  of  Transportation's  system 

(TIMS)  tracks  the  physical  condition  and 

utilization  of  roads  and  highways 

the  Department  of  Environment's  system 

(EIMS)  tracks  the  physical  condition,  utilization 

and  functionality  of  the  province's  water 

management  systems  such  as  dams 

the  Department  of  Infrastructure's  system 

(BLIMS)  tracks  the  physical  condition  of  the 

government  owned  buildings  and  supported 

organizations  such  as  school  boards — The 

Department  of  Infrastructure  prepares  the 

1      http://education.  alberta,  ca/media/1 320820/ 

asapip3valueformoneyassessmentandprojectreport.pdf 
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performance  information  on  the  physical 
condition  of  buildings.  Beginning  in  2004- 
2005,  the  Department  started  updating  the 
information  on  buildings  based  on  independent 
evaluations.  The  Department's  goal  was  to 
complete  an  evaluation  of  each  facility  every 
five  years. 

The  Department  of  Infrastructure  requests  that 
school  boards  and  post-secondary  institutions 
update  the  information  in  its  information  system 
and  provides  access  to  these  organizations  to 
enable  them  to  access  the  system  directly.  The 
Department  of  Infrastructure  told  us  that  they 
plan  to  make  the  updating  of  school  information 
mandatory  for  the  2010-2011  fiscal  year,  but  have 
not  yet  made  it  a  requirement  for  post  secondary 
institutions  and  health  facilities. 


Criteria:  the  standards  for  our  audit 

1 .  The  Department  of  Treasury  Board  should  use 
a  disciplined  needs  assessment  and  prioritizing 
process  to  recommend  funding  allocations  to 
decision  makers. 

2.  Complete,  relevant  and  accurate  information 
should  support  the  needs  assessment  and 
prioritizing  process. 

3.  The  Capital  Plan  should  include  information  on 
the  current  amount  of  deferred  maintenance, 
and  the  government's  plan  to  reduce  it. 


Recommendation:  deferred  maintenance 


RECOMMENDATION  NO.  8— REPEATED 


We  again  recommend  that  the  Department 
of  Treasury  Board,  in  consultation  with 
departments,  develop  objectives,  timelines  and 
targets  for  reducing  deferred  maintenance,  and 
include  information  on  deferred  maintenance  in 
the  province's  Capital  Plan. 

Our  audit  findings 


Key  Points 


•  No  meaningful  progress  in  implementing 
recommendation 

•  Still  no  objectives,  timelines  or  targets  for 
reducing  deferred  maintenance 

•  Deferred  maintenance  still  not  reported  publicly 

•  Process  for  maintaining  current  information 
of  maintenance  requirements  not  operating 
effectively 


We  repeat  the  recommendation  because  the 
Department  still  has  not  made  any  meaningful 
progress  in  developing  objectives,  timelines  and 
targets  for  reducing  deferred  maintenance,  and  has 
yet  to  include  information  on  deferred  maintenance 
in  its  Capital  Plan,  or  some  other  similar  form  of 
public  reporting.  The  Department  did  not  complete 
its  plan  by  December  2008,  which  was  the  target 
of  the  original  implementation  plan,  and  in  its 
August  2009  status  report  to  our  office  no  longer 
specified  a  completion  date. 

It  has  made  some  progress  in  both  updating  its 
process  to  prioritize  maintenance  submissions 
and  in  obtaining  more  complete  information  on  the 
current  condition  of  infrastructure.  However,  the 
Department  has  yet  to  implement  a  sustainable 
system  to  ensure  current  infrastructure 
condition  information  is  available  for 
summarizing  and  making  recommendations 
to  Treasury  Board.  Ultimately,  Treasury  Board 
provides  recommendations  to  Cabinet  on  the 
funding  decisions. 

As  discussed  on  page  91 ,  the  Department  does 
not  have  a  process  in  place  that  enables  ongoing 
maintenance  for  new  infrastructure  to  occur  as 
needed.  Until  this  is  done,  the  risk  exists  for  the 
current  deferred  maintenance  balance  to  grow. 

The  Department  made  improvements  in: 

the  process  to  prioritize  departments'  requests 
for  capital  maintenance  and  renewal  funding — 
For  the  2010-2013  Capital  Plan,  the 
Department  of  Treasury  Board  required 
departments  to  submit  information  for 
each  capital  maintenance  and  renewal 
request:  physical  condition,  likelihood  of  the 
infrastructure  failing,  and  impact  if  it  fails.  This 
information  enabled  the  Department  to  rank  the 
risk  of  each  project  from  low  to  high. 

the  information  on  the  physical  condition 
of  buildings — The  Department  has  more 
complete  information  on  the  physical  condition 
of  buildings  than  it  had  in  2007.  Evaluations 
to  independently  assess  the  condition  of 
supported  infrastructure  buildings  are  still 
not  complete,  but  have  improved  since  2007 
based  on  the  information  the  Department  of 
Infrastructure  provided  us. 
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Type  of  buildings 

Number  of 
buildings 

Facilities  included  in  the  Building 
Information  System  (BLIMS) 

Independent  evaluations 
completed  to  assess  the 
condition  of  the  facility 

2010 

20072 

2010 

2007 

2010 

Post-secondary 

325 

100% 

100% 

58 

228 

Schools 

1,505 

100% 

100% 

325 

1,424 

Health  Facilities 

389 

0% 

25% 

0 

83 

Table  2:    Source:  Department  of  Infrastructure,  unaudited 


The  process  to  keep  the  information  on  the  physical  condition  of  buildings  current  is  not  operating  effectively. 
The  following  table  uses  the  Department  of  Infrastructure's  timelines  to  determine  the  average  number  of 
years  between  evaluations  for  supported  organizations.3  The  average  number  of  years  between  evaluations 
is  greater  than  the  Department  of  Infrastructure's  goal  of  completing  evaluations  every  five  years. 


Department 

Number  of 
buildings  to  be 
evaluated 

Fiscal  year  the 
evaluations  were 
started 

Fiscal  year  in  which  one 
evaluation  of  each  facility  will 
have  been  done 

Average 
number  of 
years  between 
evaluations 

Advanced  Education 

325 

2005-2006 

2011-2012 

7 

Education 

1,505 

2004-2005 

2009-2010 

5 

Health 

389 

2008-2009 

2017-2018 

10 

Table  3:    Source:  Department  of  Infrastructure, unaudited 


Department  of  Infrastructure  could  not  tell  us 
whether  all  organizations  that  should  have  updated 
the  data  had  done  so  because  they  don't  track  that 
information. 

The  Department  of  Treasury  Board  cannot  ensure 
the  accuracy  of  the  information  on  the  physical 
condition  of  buildings  on  its  own.  However,  since 
its  mandate  is  to  establish  and  oversee  the  overall 
capital  planning  framework  and  budgeting  for 
the  province,  and  it  is  responsible  for  providing 
information  to  decision  makers,  it  has  a  role  to  play 
to  see  that  the  information  gathered  is  complete 
and  accurate.  Therefore,  it  will  have  to  work  closely 
with  other  departments,  including  most  importantly 
the  Department  of  Infrastructure,  to  enable  good 
information  to  exist. 

The  government  did  not  allocate  the  surpluses  in 
accordance  with  the  policy  as  described  in  Budget 
2007. 4  The  government  allocated  approximately 
$1.6  billion  to  capital  maintenance  and  renewal, 
which  was  approximately  $2.25  billion  less  than  the 
amount  that  would  have  been  allocated  based  on 
the  description  of  the  policy  in  Budget  2007. 


4  www.finance.alberta.ca/publications/budget/index.html 
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The  process  to  keep  information  on  the  physical 
condition  of  buildings  current  needs  to  be  improved. 
The  Department  of  Treasury  Board  does  not  have 
a  process  to  provide  assurance  to  Treasury  Board 
that  information  on  building  condition  is  the  most 
current  and  accurate,  since  there  is  no  consistent 
process  where  that  data  is  updated  by  all 
organizations,  accurately  and  regularly.  There  is  no 
evidence  that  all  school  boards  and  post-secondary 
institutions  are  updating  the  information  on  the 
condition  of  buildings  between  evaluations  because 
their  participation  has  been  voluntary.  It  will  be 
mandatory  for  school  boards  for  the  2010-2011 
fiscal  year,  but  there  is  currently  no  requirement 
for  post-secondary  institutions  and  Alberta  Health 
Services  to  update  the  information. 

We  reviewed  the  access  logs  to  assess  whether 
school  boards  and  post-secondary  institutions 
update  the  facility  data  and  found  that  the  data 
bases  were  accessed  regularly.  However,  the 


2  Annual  Report  of  the  Auditor  General  of  Alberta 
2006-07,  vol.  1,  p.  52. 

3  We  did  not  verify  the  information  provided  to  us  by  the 
Department  of  Infrastructure.  We  used  the  information 
provided  to  determine  the  average  number  of  years 
between  evaluations,  assuming  that  the  number  of 
evaluations  conducted  per  year  is  constant. 
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Capital  Maintenance 
and  Renewal 

The  amount  that  should  have 
been  allocated  under  the  policy 

$3.85  billion5 

The  amount  actually  allocated 

$1.6  billion 

Difference  between  the  policy  and 
the  actual  allocations 

$2  25  billion 

Table  4:   Allocation  to  Capital  Maintenance  and  Renewal  under 
the  Surplus  Allocation  Policy 


Surpluses  for  the  quarter  ended  June  30,  2009, 
were  primarily  allocated  to  strategic  initiatives  such 
as  the  Green  Transit  Incentives  Program  and  the 
Carbon  Capture  and  Storage  Initiative,  which  were 
each  allocated  $2  billion,  and  to  new  infrastructure. 
In  effect,  the  policy  was  changed. 


Implications  and  risks  if  recommendation 
not  implemented 

Infrastructure  may  cost  more  than  it  should  over 
the  life  of  the  asset  and  may  have  to  be  replaced 
prematurely.  Public  safety  and  effective  program 
delivery  may  be  at  risk. 

Maintaining  existing  infrastructure — 
recommendation  repeated 
Background 

We  modified  the  wording  our  original 
recommendation  made  in  our  October  2007  Report 
(no.  3,  vol.  1 — page  54).  That  recommendation 
stated  that  the  Department  of  Treasury  Board 
needed  to  establish  a  process  to  ensure  public 
infrastructure  assets  are  properly  maintained 
over  their  life.  However,  the  Department  does 
not  determine  funding  levels,  so  we  changed 
the  wording  to  reflect  that  the  Department  needs 
to  establish  a  process  that  provides  information 
needed  to  determine  maintenance  requirements  for 
infrastructure  assets  over  their  life.  Our  expectation 
is  that  the  Department  provides  the  information  to 
Treasury  Board  on  the  amount  of  funding  needed 
to  properly  maintain  infrastructure.  Treasury  Board 


5     Under  this  policy,  if  the  annual  surplus  was  higher  than 
the  budget  estimate,  two-thirds  of  the  unbudgeted 
surplus  would  go  to  capital  needs,  and  at  least  50% 
of  the  capital  share  had  to  be  used  to  address  capital 
maintenance  and  replacement. 


will  then  make  recommendations  to  Cabinet  on 
funding  levels. 

When  we  reported  in  2007,  the  Department  did 
not  follow  a  disciplined  maintenance  regime,  such 
as  it  used  for  assets  contracted  through  long- 
term  contracts  (P3  partnerships).  The  Department 
required  departments  to  submit  the  costs  to 
acquire  and  operate  the  proposed  infrastructure, 
but  didn't  require  the  maintenance  and  renewal 
costs.  Knowing  the  total  cost  of  infrastructure  over 
its  life  would  provide  decision  makers  with  better 
information  about  which  projects  to  fund. 

In  January  2008.  the  government  announced  its 
strategic  long-term  capital  plan  for  the  province.6 
The  government's  maintenance  and  renewal 
approach  was  outlined  in  the  plan/ 

As  a  "risk-based  approach  for  addressing  all 
capital  maintenance  and  renewal  requirements. 
The  approach  will  be  based  on  information 
that  identifies  critical  capital  maintenance  and 
renewal  needs  for  Alberta. 
Once  the  need  is  determined  in  an  accurate 
and  verifiable  manner  an  action  plan  will  be 
implemented. 

The  action  plan  will  also  implement  a  system  to 

monitor  and  report  on  the  condition  of  Alberta's 

assets  to  ensure  maintenance  issues  are 

addressed  in  a  timely  manner. 

The  government  will  continue  to  address  the 

most  critical  maintenance  and  renewal  issues 

through  existing  programs." 

The  Surplus  Allocation  Policy  "will  continue  to 

help  address  critical  maintenance  and  renewal 

issues  in  the  years  to  come". 

By  December  2007,  the  Department  had  completed 
a  State  of  Infrastructure  Report,  to  identify 
potential  issues  and  strategies  to  deal  with  capital 
maintenance  and  renewal.  The  Department  initially 

6  The  20-Year  Strategic  Capital  Plan  to  Address  Alberta 's 
Infrastructure  Needs,  January  29,  2008,  http://www. 
treasuryboard. alberta. ca/capitalplanning.cfm 

7  Page  65,  The  20-Year  Strategic  Capital  Plan  to  address 
Alberta's  Infrastructure  Needs.  January  29.  2008.  http:// 
www.treasuryboard. alberta. ca/capitalplanningcfm 
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planned  to  follow  the  approach  described  by  the 
government  in  the  long-term  strategic  plan  and 
would: 

by  June  30,  2008,  develop  a  framework  for 
assessing  and  measuring  all  government 
infrastructure  requirements,  including 
maintenance  and  renewal 
by  September  30,  2008,  in  consultation  with 
other  departments,  determine  the  specific 
requirements  for  owned  and  supported 
infrastructure,  and  recommend  a  plan  to  fulfill 
the  requirements  over  an  appropriate  period  of 
time 

by  September  30,  2008,  in  consultation  with 
departments,  complete  an  assessment  of  the 
needs  regarding  information  requirements 
for  measuring  the  effectiveness  of  capital 
maintenance  and  renewal  strategies 


Recommendation:  maintaining  assets  over 
their  life 


RECOMMENDATION  NO.  9— REPEATED 


We  again  recommend  that  the  Department 
of  Treasury  Board  establish  a  process  that 
enables  public  infrastructure  assets  to  be 
properly  maintained  over  their  life. 


Criteria:  the  standards  for  our  audit 

1 .  The  costs  of  providing  the  government  program 
and  maintaining  facilities  should  be  estimated 
for  capital  projects'  expected  useful  life  when 
projects  are  assessed. 

2.  Infrastructure  maintenance  should  occur  when 
needed  to  protect  the  service  life  of  the  asset;  it 
should  not  be  deferred  past  that  time. 


Our  audit  findings 


Key  Points 


•  Departments  will  now  be  required  to  submit 
information  on  the  cost  of  maintaining  assets 
over  their  life  for  proposed  projects 

•  But  still  no  process  for  providing  complete  and 
accurate  information  on  funding  requirements 
for  capital  maintenance  and  renewal  to  decision 
makers 

•  For  projects  carried  out  by  private  sector, 
capital  maintenance  and  renewal  requirements 
governed  by  contract 
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The  Department  has  made  satisfactory  progress 
in  implementing  the  first  criterion  because  it  will 
require  departments  to  submit  all  costs  associated 
with  projects,  including  the  acquisition,  operating 
and  maintenance  and  renewal  costs,  starting  with 
the  2011-2014  Capital  Plan. 

We  have  repeated  the  part  of  our  recommendation 
related  to  the  second  criterion  because  the 
Department  still  has  not  established  a  process 
to  provide  complete  and  accurate  information 
to  decision  makers  on  the  funding  needs  for 
maintaining  new  and  existing  infrastructure  that 
it  self-finances,  even  though  it  has  established 
effective  processes  to  maintain  infrastructure 
constructed  and  financed  under  long-term 
contractual  arrangements  with  the  private  sector 
(P3  arrangements).  The  Department  has  structured 
those  contracts  so  that  the  payments  include  the 
capital  maintenance  and  renewal  for  30  years. 
Contractors'  payments  will  be  contingent  upon 
them  completing  the  maintenance  agreed  to  in  the 
contracts  which  will  enable  the  infrastructure  to  be 
properly  maintained. 

The  Department  did  not  meet  its  timeline  of 
September  30,  2008,  as  the  date  it  would  have 
recommended  a  plan  to  government  to  maintain 
existing  infrastructure.  In  August  2009,  the 
Department  told  our  office  that  their  work  was 
ongoing  but  did  not  have  an  estimated  completion 
date. 

In  January  2010,  the  Departments  of  Treasury 
Board  and  Infrastructure  established  a 
Sustainability  Stewardship  Committee  to  advance 
life-cycle  costing  and  measures  of  infrastructure 
performance  for  government  owned  and  supported 
buildings.  The  Department  of  Treasury  Board  told 
us  that  they  will  initially  focus  on  buildings  as  they 
feel  that  the  government's  current  information 
on  life-cycle  costing  is  more  advanced  for  roads, 
bridges  and  water  management  systems. 

At  the  Committee's  first  meeting  in  June  2010, 
members  agreed  on  the  working  committees 
that  will  be  established  and  their  priorities. 
At  subsequent  meetings,  the  Committee  will 
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define  its  mandate  and  terms  of  reference,  and 
develop  timelines  for  the  priorities  that  have  been 
established. 


progress  in  improving  the  functionality  of  the  capital 
planning  information  system.  Overall,  given  the 
improvements,  we  note  progress  as  satisfactory. 


Implications  and  risks  if  recommendation 
not  implemented 

Infrastructure  may  cost  more  than  it  should  over 
the  life  of  the  asset  and  may  have  to  be  replaced 
prematurely.  Public  safety  and  effective  program 
delivery  may  be  at  risk. 

There  may  be  a  disconnect  in  the  service  levels 
between  assets  the  government  self-finances,  and 
those  it  acquires  through  contracts  that  include 
construction  and  maintenance  of  the  infrastructure. 

Process  to  prioritize  infrastructure 
projects — satisfactory  progress 
Background 

In  our  October  2007  Report  (no.  4,  vol.  1  — 
page  57),  we  recommended  that  the  Department 
improve  the  process  to  evaluate  projects  that 
departments  submit.  We  focused  primarily 
on  proposed  new  projects  and  made  the 
recommendation  because  we  noted  two  areas 
where  improvements  were  needed:  in  the  criteria 
used  to  rank  projects,  and  the  Department's 
process  apply  the  criteria  consistently  and  the 
information  systems  used  for  infrastructure 
planning. 


Our  audit  findings 


Key  Points 


•  Improvements  made  relating  to  the  process  for 
ranking  new  infrastructure  projects 

•  Still  too  early  to  determine  if  decision  makers 
have  good  information  on  health  and  safety  risks 

•  No  progress  to  improve  functionality  of  capital 
planning  information  system 

Based  on  our  examination  of  the  Department's 
2010-2013  capital  plan  process,  and  the 
proposed  changes  for  the  2011-2014  process, 
we  concluded  that  the  Department  has  made 
satisfactory  progress  implementing  changes  to 
deal  with  the  weaknesses  noted  in  the  criteria  and 
the  process  to  apply  the  criteria  consistently.  We 
also  concluded  that  the  Department  has  not  made 


The  Department  made  satisfactory  progress 

regarding  the  criteria  used  to  rank  new 

infrastructure  projects,  by: 

reviewing  the  criteria,  in  consultation  with 
departments,  and  testing  the  revised  set  of 
criteria  for  the  2010-2013  Capital  Plan 
debriefing  the  201 0-201 3  process  with 
departments,  and  establishing  a  sub-committee 
to  review  issues  and  recommending  changes 
for  the  2011-2014  Capital  Plan 
adopting  the  sub-committee's 
recommendations,  thereby  correcting  the 
deficiencies  identified  by  departments  at  the 
debriefing  sessions — The  sub-committee 
reviewed  other  jurisdictions'  processes  to 
evaluate  projects  and  concluded  that  the 
criteria  used  for  the  2010-2013  Capital 
Plan  covered  most  areas  of  importance,  but 
recommended  additional  criteria  to  incorporate 
health  and  safety  concerns,  and  other 
economic,  social  and  environmental  aspects  of 
projects. 

During  our  audit  of  Alberta's  Water  Supply  (our 
April  2010  Report,  pages  53  to  79),  we  noted 
that  the  Department  of  Environment's  dam 
rehabilitation  projects  had  not  scored  well  against 
other  infrastructure  projects  submitted  for  the 
2010-2013  Capital  Plan.  We  said  that  we  would 
try  to  understand  why  they  didn't  score  well  when 
we  did  this  follow-up  audit.  Environment  had 
submitted  these  projects  as  their  highest  priorities 
based  on  their  overall  risk.  Risk  was  determined 
based  on:  the  condition,  what  would  happen  if  the 
problem  was  not  corrected,  and  the  likelihood  it 
would  happen.  In  the  2010-2013  process,  health 
and  safety  issues  did  not  have  points  assigned, 
however,  information  on  these  issues  was 
brought  forward  through  the  written  department 
submissions. 

For  the  2011-2014  Capital  Plan,  points  will  now  be 
assigned  for  health  and  safety  issues.  However, 
it  is  still  too  early  for  us  to  determine  if  decision 
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makers  have  good  information  on  health  and  safety 
risks  when  they  make  their  funding  decisions.  We 
still  need  to  see  how  the  Department  summarizes 
the  information  for  decision  makers,  either  through 
the  follow-up  of  this  recommendation  and  the 
recommendation  below,  or  a  systems  project  on 
infrastructure  health  and  safety,  before  we  can 
assess  whether  decision  makers  have  adequate 
information  on  factors  such  as  health  and  safety 
risks. 

The  Department  made  satisfactory  progress 
regarding  its  process  to  apply  the  criteria 
consistently  for  new  infrastructure  projects,  by: 
expanding  the  peer  review  of  each 
department's  ranking  of  the  criteria  for  their 
projects  from  a  single  department  to  all 
departments 

providing  each  department  an  opportunity  to 
present  their  proposed  projects  to  their  peers 
prior  to  the  review  of  the  ranking  of  the  criteria 
by  the  group 

debriefing  the  201 0-201 3  process,  with 
departments,  and  establishing  a  sub-committee 
to  review  the  issues  and  recommend  changes 
for  the  2011-2014  Capital  Plan,  and 
adopting  the  sub-committee's 
recommendations,  thereby  addressing  the 
issues  identified  by  departments  at  the 
debriefing  sessions — The  key  changes 
adopted  were  to  separate  the  presentation  by 
departments  of  their  projects  to  their  peers  from 
the  review  of  the  ranking  of  the  criteria,  and 
to  reduce  departments'  time  commitment  by 
establishing  online  review  and  scoring. 

The  Department  improved  the  process  to  prioritize 

maintenance  and  renewal  projects  by: 
requiring  departments  to  submit  their 
assessment  of  the  physical  condition  of 
the  infrastructure  and  the  likelihood  of  the 
infrastructure  failing,  and  the  impact  if  it  fails, 
and 

using  the  information  to  rank  the  projects  by 
risk 

The  Department  has  not  made  satisfactory 
progress  improving  the  capital  planning  information 
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(CPI)  system,  and  the  issues  we  identified  in 
2007  still  exist.  The  CPI  system  still  does  not 
produce  summary  information  for  Treasury  Board, 
such  as  the  ranking  of  maintenance  and  renewal 
submissions  noted  above.  The  system  cannot 
produce  historical  reports  such  as  prior  years' 
submissions.  The  process  places  heavy  reliance 
on  Excel  spreadsheets  to  manipulate  data  for 
reporting  which  is  both  inefficient  and  prone  to  error 
without  appropriate  safeguards  in  place. 

The  Department  told  us  that  they  plan  to  request 
funding  in  the  2011-2014  Capital  Plan  to 
replace  the  existing  system.  Between  May  and 
July  2010,  the  Department  contracted  for  a  needs' 
assessment  that  it  could  use  as  the  requirements 
document  for  development  of  a  new  information 
system. 

What  needs  to  be  done 
In  order  to  finish  implementing  the 
recommendation,  the  Department  needs  to: 
complete  a  capital  planning  cycle  using 
the  process  it  developed — Assess  with 
departments  whether  what  is  available  for 
the  prioritization  process  and  summarized  for 
decision  makers  represents  the  information 
decision  makers  need  to  assess  the  projects, 
develop  an  information  system  that  meets  its 
needs 

Information  to  Treasury  Board — 
progress  not  assessed 
Background 

In  our  October  2007  Report  (no.  5,  vol.  1  — 
page  59),  we  recommended  that  the  Department  of 
Treasury  Board,  working  with  the  Treasury  Capital 
Planning  Committee,  examine  how  the  current 
information  provided  to  Treasury  Board  can  be 
improved. 

The  Department  of  Treasury  Board  planned  to 
complete  their  initial  assessment  of  the  information 
requirements  of  the  Committee  and  Treasury  Board 
by  April  2008,  with  annual  updates  thereafter.  The 
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Department  told  us  that  revisions  to  the  Capital 
Plan  Manual  have  delayed  implementation  of  the 
recommendation. 


Examples  of  factors  that  the  Department  will  need 

to  consider  include: 

how  to  summarize  infrastructure  needs 
between  new  projects  and  maintaining  existing 
assets  so  that  decision  makers  understand  the 
risks  and  costs  of  approving  one  project  over 
another 

how  to  summarize  information  so  that  decision 
makers  get  an  appropriate  amount  of  detail  on 
proposed  projects. 

how  approving  new  infrastructure  will  impact 

future  maintenance  costs  so  that  decision 

makers  understand  the  impact  it  will  have  on 

both  current  and  future  budgets 

how  not  maintaining  new  infrastructure  will 

impact  the  overall  cost  of  maintenance  or  the 

service  life  of  the  infrastructure 

how  to  summarize  key  qualitative  information 

about  projects,  such  as  health  and  safety 

issues  and  the  environmental  impact 
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Roles  and  Responsibilities  for  Capital  Planning 


DMCPC  MEMBERSHIP 


Ministry  of  Treasury  Board 
(Chair) 
Advanced  Education 
and  Technology 
Culture  and  Community  Spirit 
Education 
Environment 
Executive  Council 
Finance  and  Enterprise 
Health  and  Wellness 
Housing  and  Urban  Affairs 
Infrastructure 
Justice  and  Attorney  General 
Municipal  Affairs 
Seniors  and  Community 
Supports 
Service  Alberta 
Solicitor  General  and  Public 
Security 
Sustainable  Resource 
Development 
Tourism,  Parks  and  Recreation 
Transportation 


Premier 
Cabinet 


Treasury  Board 


Treasury  Board 
Capital  Planning 
Committee  (TBCPC) 


Deputy  Minister's 
Capital  Planning 
Committee  (DMCPC) 


Ministries/Supported 
Infrastructure 
Organizations 


Strategic  Capital 
Planning  (Ministry  of 
Treasury  Board) 


Review  and 
recommend  a  plan 


Identify  and  prioritize 
projects 


Figure  1 :  Organizational  chart  for  capital  planning,  Alberta's  Capital  Planning  Manual.  June  28,  2010.  page  25. 


Cabinet 


Approves  the  overall  parameters  of  the  capital  plan,  including  its  overall  size,  the 
basic  allocation  to  funding  envelopes  and  any  portion  of  capital  planning  dollars  to 
be  alternately  financed. 


Caucus 


Provides  input  to  Treasury  Board  on  capital  plan  priorities  and  reviews  the  Treasury 
Board  Capital  planning  Committee  (TBCPC)  recommendations. 


Treasury  Board 


Reviews  capital  requirements  and  capital  plan  options,  directs  the  Deputy  Minister' 
Capital  Planning  Committee  (DMCPC),  consults  with  Caucus,  and  provides 
recommendations  to  Cabinet  on: 

overall  parameters  of  the  capital  plan,  including  size,  allocation  to  funding 

envelopes,  and  funding  within  the  fiscal  plan 

funding  options 

individual  priority  projects,  and 

viable  P3  projects 


Treasury  Board 
Capital  Planning 
Committee 
(TBCPC) 


Consists  of  five  members  of  Treasury  Board.  The  Committee's  primary 
responsibilities  are  to: 

provide  advice  and  make  recommendations  on  matters  relating  the  province's 

three  year  capital  plan 
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assess  the  DMCPC's  recommendations  regarding  the  strategic  direction  of 
the  capital  plan,  including  program  service  priorities,  potential  scenarios,  and 
alternative  capital  procurement  options 

provide  an  independent  assessment  regarding  capital  budget  and  resource 
allocation  decisions 

provide  timely  and  complete  information  to  Caucus  regarding  the  government's 
capital  plan 

Consists  of  Deputy  Ministers  from  all  program  ministries  with  infrastructure  needs, 
and  is  chaired  by  the  Deputy  Minister  of  the  Department  of  Treasury  Board.  The 
DMCPC  is  responsible  for  providing  advice  and  recommendations  to  Deputy 
Minister,  Ministry  of  Treasury  Board  regarding: 

three-,  five-  and  ten-year  capital  requirements  for  government  owned  and 
supported  infrastructure 

ministry  and  cross  ministry  capital  project  and  program  priorities 
long-term  capital  plan  alternatives 
strategies  to  address  deferred  maintenance 
strategic  impacts  of  the  capital  plan 
allocation  of  new  funding  to  capital  program  envelopes 
alternative  capital  financing  of  projects 

ongoing  capital  project  status  reports,  including  potential  in-year  changes  to  the 
capital  plan 

Establishes  and  oversees  the  overall  capital  planning  framework  and  budgeting  for 
the  province.  The  Department  is  responsible  for: 

co-ordinating  the  capital  plan  process,  setting  timeframes  and  submission 
expectations,  compiling  ministry  submissions,  overseeing  joint  activities  such  as 
the  prioritization  process,  and  developing  capital  budget  scenarios 
acting  as  the  secretariat  for  DMCPC,  coordinating  requests  from  ministries, 
developing  policy  proposals  and  plan  scenarios,  and  preparing  reports  and 
presentations 

Advisory  Advises  Treasury  Board  on  alternative  capital  financing  options,  and  the  feasibility 

Committee  on  and  desirability  of  proposed  P3  projects. 

Alternative  Capital 
Financing  (ACACF) 

Program  ministries    Are  responsible  for: 

determining  their  individual  program  needs  and  the  infrastructure  required  to 
support  those  program  needs 

developing  performance  measures  for  assessing  the  performance  of  their 
infrastructure  from  a  condition,  utilization  and  functional  adequacy  perspective 
preparing  business  cases  for  each  infrastructure  project,  and  determining  the 
scope  and  cost  of  priority  projects  with  the  assistance  of  the  technical  ministries 


Deputy  Ministers' 
Capital  planning 
Committee 
(DMCPC) 


Department  of 
Treasury  Board 
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Technical  Ministries  Consists  of  the  ministries  of  Infrastructure,  Transportation,  and  Service  Alberta. 

Technical  ministries  provide  consultation  to  program  ministries  and  supported 
infrastructure  organizations  on  the  technical  aspects  of  infrastructure  development 
and  expected  project  costs.  The  Ministry  of  Infrastructure  maintains  the  information 
on  the  condition  of  government  owned  buildings,  schools,  post  secondary 
institutions,  and  health  facilities. 


I 
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Report  of  the  Auditor  General  of  Alberta — October  2010 


Government  of  Alberta  and  Ministry  Annual 
Reports 


Financial  statements 


Our  auditor's  opinion  on  the  Government  of 
Alberta's  consolidated  financial  statements  for 
the  years  ended  March  31,  2010  and  2009  is 
unqualified. 

This  year,  the  government  included  the  SUCH 
sector  in  its  financial  statements  using  line-by-line 
consolidation.  Previously,  the  SUCH  sector  was 
included  using  modified  equity  consolidation. 
In  accordance  with  accounting  standards,  the 
government  restated  its  prior  year  financial 
statements,  to  make  them  comparable  to  the 
line-by-line  consolidated  financial  statements. 
We  issued  our  auditor's  opinion  on  both  years  to 
communicate  that  we  had  audited  both  the  current 
year,  and  the  restated  prior  year. 

We  are  satisfied  that  the  transactions  and  activities 
we  examined  in  financial  statement  audits  complied 
with  relevant  legislative  requirements.  As  auditors, 
we  test  only  some  transactions  and  activities,  so 
we  caution  readers  that  it  would  be  inappropriate 
to  conclude  that  our  testing  would  identify  all 
transactions  and  activities  that  do  not  comply  with 
the  law. 

We  issued  unqualified  auditor's  opinions  on 
ministry  financial  statements  for  the  years  ended 
March  31,  2010  and  2009. 


Performance  measures 


Prior-year  recommendation 

Analysis  and  review  of  performance 
measures — satisfactory  progress 

In  our  October  2009  Report  (no.  16— page  136), 
we  recommended  that  the  Ministry  of  Treasury 
Board  work  with  Ministries  to  improve  processes 
at  the  Ministry  level  relating  to  analysis  and  review 
of  performance  measures.  We  also  recommended 
that  the  Ministry  of  Treasury  Board  establish  a 
protocol  with  Ministries  whereby  it  is  informed  of 


proposed  changes  by  Ministries  to  performance 
measures  methodology  in  a  timely  manner. 


Our  audit  findings 

For  the  21  measures  that  we  audited,  we  noted 
that  substantially  all  ministries  used  the  materiality 
guidance  and  checklist  to  prepare  the  performance 
information.  We  noted  improvement  in  the  level  and 
consistency  of  analysis,  documentation  and  review 
of  performance  information  by  management  at 
ministries. 

In  order  to  fully  implement  this  recommendation, 
the  Ministry  of  Treasury  Board  needs  to  work 
with  ministries  to  continue  to  facilitate  their 
understanding  of  requirements  for  analysis, 
documentation  and  review  of  performance 
information.  This  could  be  done  by  holding  a 
debriefing  session  on  the  results  of  the  current 
year  process  with  ministries  and  presentation  of  a 
workshop  on  how  to  determine  materiality. 

Modify  the  profiles  to  more  specifically  refer  to  and 
explain  changes  planned  to  measures. 

Public  performance  reporting 

Measuring  Up 

We  audited  21  of  the  62  performance  measures 
in  Measuring  Up  and  were  able  to  issue  an 
unqualified  auditor's  opinion. 

Ministry  annual  reports 

We  reviewed  108  performance  measures  included 
in  23  ministry  annual  reports  and  were  able  to  issue 
23  unqualified  review  engagement  reports. 

The  Province  of  Alberta  has  issued  Public 
Performance  Reports  (PPRs)  including 
government-wide  and  ministry  business  plans  and 
annual  reports  since  the  mid  1990s.  The  objective 
of  the  PPRs  is  to  provide  performance  information 
(both  financial  and  non-financial),  that  allows  the 
citizens  of  Alberta  to  assess  the  government's 
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overall  performance.  This  is  accomplished  by 
publishing  strategic  three-year  business  plans 
and  annually  reporting  on  the  progress  made  in 
achieving  those  plans.  The  role  of  the  Auditor 
General  in  the  public  reporting  process  has  been 
to  add  credibility  to  performance  reporting  and  to 
recommend  improvements  in  that  reporting. 

In  2007,  government  approached  CCAF-FCVI,  Inc.1 
(CCAF)  to  undertake  a  direct  dialogue  with  the 
users  of  the  government's  PPRs.  The  purpose  of 
this  dialogue  was  to  identify  ways  the  government 
could  improve  its  PPRs  to  better  meet  the  needs 
of  users — legislators,  the  media  and  the  citizens 
of  Alberta.  The  government  accepted  20  of  the 
25  recommendations  and  is  currently  working  on 
implementing  those  recommendations. 

In  2008-2009  the  government,  acting  on  one  of 
the  CCAF  recommendations,  conducted  research 
into  the  best  practices  of  online  performance 
reporting  and  developed  basic  principles  for  moving 
government  PPR's  from  the  current  book-based 
format  to  web-based  performance  reporting. 

In  May  2010,  the  government  made  significant 
changes  to  the  requirements  and  timelines  to 
prepare  PPRs.  The  changes  are  intended  to 
refocus  the  business  plans  and  annual  reports 
at  a  strategic  level  and  improve  the  timeliness 
and  readability  of  ministry  annual  reports.  These 
changes  included: 

Effective  with  Budget  2011 ,  ministry  business 
plans  are  limited  to  four  pages,  from  about 
12  pages,  to  encourage  ministries  to  focus  only 
on  the  ministry's  strategic  goals,  strategies  and 
performance  measures. 
Effective  in  2011 ,  ministry  annual  reports  will 
be  released  at  the  end  of  June  2011 ,  rather 
than  the  end  of  September.  The  Ministry  and 
government  annual  report  will  be  released  at 
the  same  time,  thereby  providing  in  a  timely 
manner,  the  ministry  financial  and  non-financial 
information  that  supports  the  aggregated 
information  in  the  government  annual  report. 

1      CCAF-FCVI,  Inc.,  was  created  in  1980  as  the  Canadian 
Comprehensive  Auditing  Foundation — La  Fondation 
canadienne  pour  la  verification  integree. 


Effective  with  2009-2010  ministry  annual 
reports,  ministries  are  to  focus  on  reporting 
only  key  information  in  ministry  annual  reports. 
However,  ministries  are  also  encouraged  to 
provide  supplemental  information  on  their 
website  that  readers  may  find  useful  regarding 
their  ministry's  performance.  Ministries  are  to 
present  a  balanced  discussion  of  the  ministry's 
overall  results  and  performance  (financial 
and  non-financial).  Ministries  are  discouraged 
from  discussing  every  performance  measure 
or  strategy  published  in  the  ministry  business 
plan.  However,  they  are  encouraged  to  discuss 
those  results  where  there  is  a  significant 
variance  from  targeted  results  or  the  previous 
year's  results,  and  where  strategies  resulted 
in  significant  improvements  in  programs  and 
services  or  proved  to  be  challenging  in  their 
implementation. 

Audit  of  performance  information 

We  currently  carry  out  audits  and  limited  assurance 
reviews  on  selected  performance  measures  in 
government  and  ministry  annual  reports  at  the 
request  of  government.  Although  the  above 
changes  to  the  timing  of  annual  report  release 
dates  present  staffing  challenges  to  our  Office, 
we  are  committed  to  reviewing  our  practices  and 
determining  how  we  can  meet  the  needs.  One 
of  the  primary  issues  is  the  requirement  to  staff 
both  financial  statement  audits  and  performance 
measures  reviews  at  the  same  time. 
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There  are  no  outstanding  recommendations  for  this 
Ministry  or  the  organizations  that  form  it. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  Department  of  Aboriginal 
Relations  for  the  years  ended  March  31 ,  201 0  and 
2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Advanced  Education  and  Technology 


Summary 


The  Department  of  Advanced 
Education  and  Technology 

The  Department  should  improve  its  controls  over 

the  student  finance  program  by: 

properly  approving  changes  to  student  loan 
programs  and  communicating  the  changes  to 
staff 

reviewing  and  approving  changes  to 
assumptions  and  methodologies  used  in 
calculating  the  allowance  for  loan  subsidies — 
see  page  108 

Entities  that  report  to  the  Minister 

We  have  made  several  recommendations  to  the 
University  of  Calgary  over  the  last  few  years. 
The  University  has  made  substantial  progress 
implementing  the  recommendations  arising  from 
our  financial  statement  audit  work,  with  one  notable 
exception  being  its  progress  to  deal  with  access 
security  to  programs  and  data — see  page  112.  In 
our  systems  audit  section — page  43,  the  University 
implemented  three  of  seven  recommendations 
related  to  research  management,  but  still  has 
substantive  issues  to  resolve  on  the  other  four 
recommendations.  Overall,  the  University  has 
improved  its  controls  and  processes  for  budgeting, 
executive  compensation,  payroll  documentation 
and  journal  entries.  We  reported  that  the  University 
has  made  satisfactory  progress  in  improving  the 
effectiveness  of  its  control  environment.  We  are 
encouraged  by  the  progress  made  to  deal  with 
our  recommendations,  but  stress  that  continued 
execution  of  the  innovative  Support  Services  (iS2) 
and  Institutional  Research  Information  Services 
Solution  projects  is  key  to  implementing  the 
remaining  recommendations. 

This  year,  we  conducted  audits  at  two  universities 
to  determine  if  they  have  effective  information 


technology  governance  and  project  management 

systems.  We  found  that: 

Grant  MacEwan  University  established 
an  effective  governance  structure  and 
well-designed  project  management  standards, 
policies  and  procedures  to  implement  its 
new  enterprise  resource  planning  system. 
This  included  providing  relevant  and  timely 
information  to  the  Project  Steering  Committee, 
Executive  Committee  and  Audit  and  Finance 
Committee  on  the  project  status  such  as  actual 
cost  compared  to  budget,  work  completed, 
risks  and  mitigating  strategies — see  page  29 
Athabasca  University  management  is  unable 
to  demonstrate  that  investments  in  IT  projects 
achieved  the  expected  results  and  benefits. 
Athabasca  University  needs  to  improve  its  IT 
governance  systems,  project  management 
systems,  reporting  on  project  status,  and 
resolving  inefficiencies  in  its  financial,  human 
resources  and  payroll  systems — see  page  19 

Athabasca  University  should  also: 

assess  the  risks  and  take  the  necessary 
steps  to  establish  appropriate  off-site  disaster 
recovery  facilities  that  include  required 
computer  infrastructure  to  provide  continuity  of 
critical  IT  systems 

complete  and  test  its  existing  disaster  recovery 
plan  to  ensure  continuous  services  are 
provided  in  the  event  of  a  disaster — see  page  1 1 0 

The  University  of  Lethbridge  should  improve  its 
endowment  policies  and  procedures  by: 

clarifying  its  goals  for  preserving  the  real  value 
of  endowments,  and  how  it  plans  to  achieve 
this 

tracking  investment  income  between  amounts 
for  preserving  the  real  value  of  investments  and 
amounts  available  for  spending — see  page  118 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 
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Education  and  Technology 


Findings  and  recommendations 


Student  finance  program 
Background 

The  Department  provides  financial  assistance 
to  students  attending  Alberta  post-secondary 
institutions.  Students  receive  loans  interest-free 
during  their  studies,  but  must  repay  the  loan 
with  interest  after  they  complete  their  studies. 
The  Department  also  provides  relief  to  students 
whose  loan  balance  exceeds  certain  debt  levels. 
Management  makes  various  assumptions  and 
uses  methodologies  to  calculate  this  relief  and  to 
estimate  year-end  balances  for  the  Department's 
financial  statements.  These  assumptions  include 
interest  rates,  repayment  periods  and  default  rates. 

The  Minister  delegates  certain  powers,  duties  and 
functions  to  various  levels  of  Department  staff. 
These  delegated  powers  are  conferred  on  the 
Minister  under  the  Alberta  Heritage  Scholarship 
Act  and  its  regulations  and  the  Student  Financial 
Assistance  Act  and  its  regulations. 


Recommendation:  improve  controls  over 
student  finance  program 


RECOMMENDATION 


We  recommend  that  the  Department  of 
Advanced  Education  and  Technology  improve 
its  controls  over  the  student  finance  program  by: 
properly  approving  changes  to  student  loan 
programs  and  communicating  the  changes 
to  staff 

reviewing  and  approving  changes  to 
assumptions  and  methodologies  used  in 
calculating  the  allowance  for  loan  relief 
completion  payments  and  loan  subsidies 


Criteria:  the  standards  for  our  audit 

The  Department  should  have  effective  controls 
over  the  student  finance  programs.  This  includes 
appropriate  review  and  approval  of  changes 
to  programs,  assumptions  and  methodologies, 
communicating  the  changes  to  staff,  and  an 
independent  review  of  calculations. 


Our  audit  findings 


Key  Point 


Certain  changes  to  the  student  loan  program, 
assumptions  and  methodologies  were  not  properly 
reviewed  and  approved 

The  Department  has  made  considerable 
improvements  in  how  it  estimates  the  allowance  for 
loan  relief  completion  payments.  Based  on  our 
testing  and  review  of  the  Department's  testing,  we 
agree  with  the  reasonableness  of  this  estimate. 

However,  the  Department  could  improve  its 
processes  and  controls  over  changes  to  the 
student  financial  assistance  programs.  We  found 
the  following  issues: 

In  August  2009,  the  Department  changed  the 
minimum  debt  level  used  to  calculate  loan  relief 
completion  payments  (loan  remissions)  from 
$2,500  to  $2,805  for  students  who  started  their 
studies  in  2004-2005  and  earlier.  However,  the 
Executive  Director,  the  Minister's  delegated 
authority,  did  not  approve  the  change  until 
March  1,  2010  retroactive  to  August  2009,  after 
we  requested  evidence  of  the  approval. 
The  Department  did  not  sufficiently 
communicate  the  loan  relief  change  to  staff. 
As  a  result,  some  staff  used  the  new  minimum 
debt  level  while  others  continued  to  use  the 
old  minimum  debt  levels  to  calculate  the 
loan  relief  completion  payments  to  students. 
We  estimated  that  the  Department  awarded 
students  approximately  $284,000  more 
than  they  were  eligible  for  under  the  original 
remission  levels.  Management  decided  not 
to  correct  the  error  through  revision  of  the 
student's  loan  balances  or  through  recovery  of 
payments  from  students. 
The  Department  changed  the  methodology  to 
calculate  the  loan  repayment  period  that  it  uses 
in  the  year-end  estimates  related  to  the  student 
loan  portfolio.  However,  the  Department  does 
not  have  a  process  to  document  the  rationale, 
and  to  review  and  approve  any  changes. 
The  Department  did  not  follow  its  process, 
which  requires  an  independent  person  to 
review  the  assumptions  and  calculations  used 
in  calculating  the  year-end  estimates.  Student 
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finance  staff  incorrectly  calculated  the  interest 
rate  used  in  the  student  loan  calculation  as 
the  average  of  four  years,  rather  than  three 
years.  This  resulted  in  the  interest  rate 
changing  from  4.09%  to  4.7%.  Management 
corrected  the  calculation  after  we  brought 
the  error  to  their  attention,  and  adjusted  the 
financial  statements  by  $2.7  million. 


Implications  and  risks  if  recommendation 
not  implemented 

The  Department  may  not  adhere  to  legislation, 
regulations  and  policies,  if  program  changes 
are  not  properly  approved.  Without  independent 
verification  of  its  assumptions  and  calculations 
for  year-end  estimates  of  loans,  the  Department 
might  incorrectly  provide  loan  relief  to  students  and 
use  inaccurate  estimates  that  result  in  incorrect 
decisions. 

Guidance  to  institutions  on  IT  control 
frameworks — progress  report 
Background 

Well-designed  and  effective  information  technology 
controls  give  institutions  assurance  over  the 
security  and  integrity  of  their  information  and 
systems.  These  systems  are  used  for  financial 
reporting  and  to  provide  efficient,  effective 
and  reliable  services  to  students  and  staff.  In 
our  April  2008  Report  (no.  8— page  195),  we 
recommended  that  the  Department  of  Advanced 
Education  and  Technology  give  guidance  to 
institutions  on  using  an  IT  control  framework  to 
develop  control  processes  that  are  well-designed, 
efficient  and  effective.  We  also  provided  a 
summary  of  findings  for  IT  controls  at  institutions. 
In  our  April  2010  Report  (page  171),  we  restated 
the  recommendations  to  recommend  that 
the  Department  of  Advanced  Education  and 
Technology,  through  the  Campus  Alberta  Strategic 
Directions  Committee,  give  guidance  to  public 
post-secondary  institutions  on  using  an  IT  control 
framework  to  develop  control  processes  that  are 
well  designed,  efficient  and  effective. 


The  Department  and  institutions  created  a  Project 
Steering  Committee,  consisting  of  chief  information 
officers  and  senior  financial  officers  from 
institutions,  to  oversee  the  project. 

Management's  actions 

Twenty-four  of  26  post-secondary  institutions 
are  currently  participating  in  this  project.  The 
Department  recently  presented  the  control 
framework  and  its  six  over-arching  policies  to  the 
Project  Steering  Committee  for  final  approval.  The 
framework  allows  individual  institutions  to  use  the 
high-level  policies  and  tailor  them  and  the  related 
procedures,  processes  and  standards  to  meet  the 
institution's  needs. 

Once  institutions  approve  and  adopt  the  policies, 
they  will  be  able  to  focus  on  implementing 
procedures  and  standards  to  support  the  policies. 
The  Department  contracted  with  a  third  party  to 
provide  assistance  to  develop  and  communicate 
procedures,  processes  and  standard  templates 
for  each  institution  to  use.  These  templates  will 
allow  institutions  to  tailor  templates  based  on  a 
risk  assessment  so  that  procedures  and  standards 
are  reasonable  for  each  institution.  They  will  also 
ensure  that  there  are  individualized,  but  similar 
standards  and  controls  throughout  the  province  that 
meets  a  minimum  standard. 

To  fully  implement  this  recommendation,  the 
Department  must  complete  the  framework,  policies, 
procedures  and  standards  and  provide  guidance 
to  post-secondary  institutions  on  how  use  the  IT 
control  framework  to  implement  well  designed 
policies  and  control  processes. 

Institutions'  annual  report  standards — 
implemented 

In  our  October  2009  Report  (page  144), 
we  recommended  that  the  Department  of 
Advanced  Education  and  Technology  improve  its 
requirements  for  post-secondary  institutions'  annual 
reports  to  ensure  that  these  institutions  and  their 
management  are  accountable  for  their  control  and 
use  of  public  resources. 
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The  Department  has  revised  the  annual  report 
guidelines  that  requires  post-secondary  institutions 
to  include  in  their  annual  reports: 
an  accountability  statement 
an  acknowledgment  of  management's 
responsibility  for  reporting  and  internal  controls, 
signed  by  the  president/chief  executive  officer 
and  senior  financial  officer 
management's  discussion  and  analysis,  which 
should  provide  a  balanced  discussion  of  the 
institution's  overall  results  and  performance, 
including  reporting  on  performance 
measures — Institutions  are  also  to  link  financial 
results  to  the  progress  in  achieving  goals, 
expected  outcomes,  strategies  and  initiatives 
set  out  in  the  institution's  business  plan. 

We  consider  the  recommendation  implemented. 
In  future,  as  part  of  our  audits  of  institutions,  we 
may  review  the  Department's  processes  to  monitor 
institutions'  compliance  with  the  new  guidelines. 

Grant  accountability — implemented 
Background 

In  our  October  2009  Report  (no.  17— page  142), 
we  recommended  that  the  Department  improve 
its  processes  for  managing  conditional  grants. 
The  Department  had  not  yet  fully  implemented 
its  monitoring  and  accountability  processes  for 
the  Access  to  the  Future  Fund,  even  though  the 
fund  started  in  2006-2007.  The  Department  had 
also  not  received  accountability  reports  from  most 
institutions  for  one-time  funds  for  credit  program 
expansion,  and  did  not  have  a  process  to  follow-up 
with  institutions  to  review  how  they  use  funds  or  to 
identify  if  any  funds  remain  unspent. 


Our  audit  findings 


Key  Points 


•  Department  implemented  new  monitoring  and 
accountability  processes  over  grant  funds 

•  New  processes  implemented  to  obtain 
accountability  reports 

Access  to  the  Future  Fund 

To  obtain  reasonable  assurance  that  the  institutions 

have  met  the  eligibility  requirements  for  the 

matching  grants,  the  Department  has: 

provided  more  guidance  in  the  Renaissance 
Fund  Guide  to  institutions  for  calculating  their 
eligible  donations 
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established  a  timeframe  of  three  years  for 
spending  these  funds  and  achieving  outcomes 
implemented  a  pre-  and  post-review  process 
to  assess  if  institutions  met  their  eligibility 
criteria — The  Department  visited  several 
institutions  to  review  the  eligibility  and  use  of 
funds. 

communicated  reporting  requirements  to 
ensure  the  appropriate  and  timely  use  of  grant 
funds 

Enrolment  planning  envelope 
The  Department  has  implemented  a  tracking 
system  to  ensure  that  it  receives  accountability 
reports  from  institutions.  It  requested  institutions 
to  submit  their  outstanding  accountability  reports 
for  the  2007-2008  and  2008-2009  grants.  Once 
received,  Department  management  reviews  the 
reports  to  ensure  the  documentation  is  appropriate 
and  that  the  expenditures  support  the  objective  for 
which  the  funds  were  intended.  All  accountability 
reports  for  the  2007-2008  grants  had  been 
received  and  documentation  for  two  reports  that  we 
reviewed  appears  appropriate. 

Entities  that  report  to  the  Minister 
Athabasca  University 

On  page  19,  we  report  the  results  of  our  systems 
audit  of  the  University's  IT  Governance,  Strategic 
Planning  and  project  management  policies, 
processes  and  standards. 

Information  technology  resumption  plan 
Background 

The  University  relies  heavily  on  its  IT  systems  and 
infrastructure  to  deliver  online  student  courses, 
including  course  materials  and  course  evaluations, 
as  well  as  for  the  University's  daily  corporate 
financial  activities.  Failure  to  recover  promptly  from 
a  disaster  affecting  the  University's  data  centre 
would  significantly  affect  the  University's  ability  to 
continue  providing  these  services. 

Disaster  recovery  planning  includes  the  policies, 
procedures  and  infrastructure  needed  to  recover 
and  continue  technology  services  critical  to  an 
organization,  after  a  natural  or  human-induced 
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disaster.  Disaster  recovery  planning  is  a  subset 
of  a  larger  process  known  as  business  continuity 
planning.  It  should  include  planning  to  resume 
applications  and  recover  data,  hardware, 
communications  (such  as  networking)  and  other 
IT  infrastructure.  A  well-designed  and  frequently 
tested  disaster  recovery  plan  can  better  prepare 
the  University  to  recover  from  a  major  outage  or  a 
total  loss  of  its  IT  infrastructure,  within  an  identified 
timeframe. 


Recommendation:  establish  IT  resumption 
capabilities 


RECOMMENDATION  NO.  10 


We  recommend  that  Athabasca  University: 
assess  the  risks  and  take  the  necessary 
steps  to  establish  appropriate  off-site 
disaster  recovery  facilities  that  include 
required  computer  infrastructure  to  provide 
continuity  of  critical  IT  systems 
complete  and  test  its  existing  disaster 
recovery  plan  to  ensure  continuous  services 
are  provided  in  the  event  of  a  disaster 

Criteria:  the  standards  for  our  audit 

The  University  should  have: 

an  up-to-date  disaster  recovery  plan  (DRP) 
that  is  based  on  a  risk  assessment  of  critical 
IT  services  and  business  requirements  for  the 
continuity  of  these  services 
a  documented  and  effective  back-up  and 
restoration  plan  for  its  critical  applications  and 
IT  infrastructure 

effective  plans  and  means  to  test  the  DRP 
regularly  using  an  off-site  IT  recovery  facility 
effective  procedures  to  assess  the  adequacy 
and  completeness  of  the  DRP  after  testing 


Our  audit  findings 


Key  Points 


•  Disaster  recovery  plan  outdated,  partly 
incomplete  and  not  yet  tested 

•  No  off-site  recovery  facilities  to  recover  IT 
systems  within  required  timeframes 

The  University  prepared  a  DRP  in  2008, 
but  has  not  updated  it  since  then.  The  DRP 
includes  recovery  roles,  responsibilities  and 
contact  information,  as  well  as  a  high-level  risk 


assessment.  The  risk  assessment  identifies 
priority  systems  the  University  must  recover  first, 
to  continue  services  to  students.  The  University 
has  tested  its  ability  to  restore  data  from  back-up 
media  using  its  data  centre  in  Athabasca.  However, 
it  has  not  completed  defining  specific  recovery 
procedures  or  tested  its  DRP. 

In  addition,  the  University  does  not  have  an  off-site 
recovery  facility  or  a  contractual  arrangement  for 
such  a  facility.  An  off-site  recovery  facility  would 
allow  the  University  to  recover  critical  student 
and  financial  systems  within  required  timelines 
in  the  event  of  a  failure  of  the  University's  data 
centre.  The  University  could  work  with  institutions 
that  have  similar  requirements,  to  share  recovery 
facilities  and  equipment  services  and  costs,  thereby 
improving  the  cost-effectiveness  of  this  service. 


Implications  and  risks  if  recommendation 
not  implemented 

The  University  may  be  unable  to  systematically 
recover  data  or  resume  critical  business  and 
student  services  within  the  required  timeframes. 

University  of  Alberta 

Security  configuration  settings — 
implemented 

In  our  October  2007  Report  (vol.  2— page  24), 
we  recommended  that  the  University  of  Alberta 
obtain  assurance  that  its  service  provider  maintains 
security  configurations  for  the  outsourced  services 
as  contracted. 

The  service  provider  provided  a  report  that 
shows  the  security  settings  and  configurations  in 
PeopleSoft  meet  its  security  standards,  except 
where  exceptions  were  previously  documented  and 
agreed  to  by  both  parties.  Effective  July  1,  2010, 
the  University  receives  application  services  from  a 
new  service  provider.  The  University  plans  to  obtain 
assurance  from  the  new  service  provider  through 
an  independent  audit  over  the  security  controls. 
We  consider  this  recommendation  implemented  as 
the  University  has  a  contractual  provision  to  obtain 
assurance  from  the  service  provider.  In  future,  we 
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will  review  the  results  from  the  service  provider  and 
the  steps  to  remediate  any  issues  noted. 

University  of  Calgary 

We  have  made  several  recommendations  to  the 
University  of  Calgary  over  the  last  few  years. 
The  University  has  made  substantial  progress 
implementing  the  recommendations,  with  some 
notable  exceptions.  For  the  fourth  time,  we 
repeated  the  recommendation  that  the  University 
improve  controls  over  access  security  to  programs 
and  data,  as  the  University  has  been  too  slow  in 
taking  sufficient  action  to  implement  the  remaining 
parts  of  this  recommendation.  In  our  systems  audit 
section — page  43,  we  reported  on  the  University's 
progress  to  implement  recommendations  from  our 
October  2004  Report  and  October  2005  Report 
related  to  research  management.  The  University 
implemented  three  of  seven  recommendations, 
but  we  repeated  four  recommendations  because 
substantive  issues  still  remain  several  years  after 
we  made  the  first  recommendation. 

The  University  has  improved  its  controls  and 
processes  for  budgeting,  executive  compensation, 
payroll  documentation  and  journal  entries. 
Also,  we  reported  that  the  University  has  made 
satisfactory  progress  in  improving  the  effectiveness 
of  its  control  environment — see  page  114.  Despite 
having  five  repeated  recommendations,  we 
are  encouraged  by  the  progress  made  on  the 
Innovative  Support  Services  (IS2)  and  Institutional 
Research  Information  Services  Solution  projects. 
The  execution  of  identified  key  deliverables 
for  these  projects  should  deal  with  our  past 
recommendations.  However,  we  stress  that 
the  University  must  adhere  to  key  activities 
and  timelines  identified  for  the  projects — see 
pages  114  and  115. 

Access  security  to  programs  and 
data — recommendation  repeated 

We  first  made  this  recommendation  in  our  October 
2006  Report  (vol.  2— page  24).  We  repeated 
this  recommendation  three  times  since  then 
in  our  October  2007  Report  (vol.  2— page  13), 
October  2008  Report  (no.  22— page  219),  and 


October  2009  Report  (no.  19— page  155).  For 
the  fourth  time,  we  repeat  the  recommendation 
because  the  University  has  been  too  slow  in  taking 
sufficient  action  to  implement  the  remaining  parts 
of  this  recommendation  to  mitigate  PeopleSoft 
security  risks  this  past  year.  We  are  making  this 
recommendation  for  a  fifth  time. 


Background 

In  April  2004,  the  University  started  a  three- 
year  project  to  move  several  critical  business 
and  financial  processes  to  PeopleSoft,  an  ERP 
(see  glossary  on  page  233).  Considerable  time 
has  passed  since  our  original  recommendation 
and  the  University  has  implemented  parts  of  our 
recommendation. 


Recommendation:  improve  access  to  data 
and  systems 


RECOMMENDATION  NO.  11— REPEATED 


We  again  recommend  that  the  University  of 
Calgary  improve  controls  in  the  PeopleSoft 
system  by: 

finalizing  and  implementing  the  security 
policy  and  the  security  design  document 
ensuring  that  user  access  privileges  are 
consistent  with  both  the  user's  business 
requirements  and  the  security  policy 

Criteria:  the  standards  for  our  audit 

The  University  should  have  well-designed 
and  effective  procedures  to  reduce  the  risk  of 
unauthorized  or  inappropriate  access  to  PeopleSoft 
programs  and  data  by: 

implementing  a  comprehensive  security 
policy  and  maintaining  an  up-to-date  security 
design  framework  for  the  PeopleSoft  control 
environment 

controlling  access  to  programs  and  data 
by  defining  and  enforcing  procedures  to 
identify,  authenticate  and  authorize  the  use  of 
PeopleSoft  and  to  ensure  that  only  authorized 
changes  are  made  to  user  accounts  (additions, 
deletion,  changes)  and  that  they  are  made 
promptly 

developing  and  implementing  a  security  policy 
for  administrative  systems 
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implementing  an  effective  control  process  to 
periodically  review  the  appropriateness  of  user 
access  rights  and  restricting  user  roles  and 
functions  they  can  perform 


Our  audit  findings 


Key  Points 


•  Developers  of  enhancements  to  PeopleSoft 
system  still  have  access  to  live  system 

•  No  process,  yet  to  remove  contractors'  and 
non-employees'  access 

The  University  completed  a  review  of  PeopleSoft 
privileged  and  administrative  access,  and 
developed  an  "access  security  matrix"  for 
PeopleSoft  role-based  security  as  a  part  of  the 
security  design  document.  However,  the  University 
did  not  make  satisfactory  progress  to  control 
access  to  PeopleSoft  and  restricting  the  user 
roles  and  the  functions  users  can  perform.  We 
confirmed  that  developers  of  enhancements  for  the 
PeopleSoft  system  continued  to  have  excessive 
access  to  the  PeopleSoft  production  environment. 
This  is  a  separation  of  duties  conflict  that  could 
allow  one  person  to  bypass  critical  management 
controls  and  make  unauthorized  changes  to  the 
PeopleSoft  system  or  its  data. 

The  University  must  ensure  its  access  security 
matrix  defines  who  can  have  privileged  access 
to  the  production  system  and  under  what 
circumstances.  For  example,  developers  should 
not  have  access  to  the  production  system  unless 
other  mitigating  controls  are  in  place.  When  there 
is  a  separation  of  duties  conflict  with  access  or 
roles  in  the  PeopleSoft  system,  the  University  must 
ensure  there  are  other  mitigating  controls  to  reduce 
the  risk  that  unauthorized  changes  are  made  to  the 
PeopleSoft  system  or  its  data. 

We  also  confirmed  that  the  process  for  removing 
user  access  does  not  remove  the  access  of 
contractors  and  other  non-employees.  We  were 
informed  that  the  University  plans  to  incorporate 
the  functionality  to  remove  contractor  and  other 
non-employee  access  to  PeopleSoft  when  no 
longer  required.  We  observed  that  this  is  a  part  of 
the  information  security  work  plan  for  2010. 


The  University  made  progress  by: 

integrating  the  human  capital  management 
and  student  administration  system  modules 
to  support  the  overall  PeopleSoft  security 
requirements 

implementing  an  integrated  vulnerability 
assessment  infrastructure  to  monitor  and 
identify  defined  security  incidents — We 
confirmed  that  this  vulnerability  assessment 
process  monitors  the  PeopleSoft  system 
for  security  incidents  and  compliance  to  the 
security  policy  requirements, 
implementing  an  automated  tool  for  removing 
user  access  no  longer  required  as  a  result  of 
staff  terminations 

To  fully  implement  the  recommendation,  the 

University  must: 

restrict  user  and  privileged  access  for 
administrators,  developers  and  database 
administrators  within  the  PeopleSoft  system 
ensure  that  PeopleSoft  security  design 
document  is  completed,  reviewed  and 
approved  by  senior  management,  and  then 
fully  implemented 

have  well-designed  or  automated  control 
processes  to  ensure  that  when  an  individual 
with  access  to  the  PeopleSoft  system  leaves 
the  University  or  changes  job  roles,  access 
to  all  applications  and  systems — including 
PeopleSoft — is  either  terminated  or  changed  to 
reflect  their  new  job  roles 
regularly  review  account  access  for: 

possible  conflicts  with  other  roles 

ongoing  business  need 

appropriateness  of  access  for  the  job 


Implications  and  risks  if  recommendation 
not  implemented 

Weak  access  controls  to  and  within  PeopleSoft 
may  result  in  unauthorized  access  to  confidential 
data,  entry  of  unauthorized  transactions,  and  the 
accidental  or  deliberate  destruction  or  alteration 
of  data.  Poor  controls  may  also  allow  the 
unauthorized  release  of  confidential  student  or 
financial  information. 
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Improving  the  University's  control 
environment — satisfactory  progress 
Background 

In  our  October  2008  Report  (no.  21— page  213), 
we  recommended  that  the  University  of  Calgary 
improve  the  effectiveness  of  its  control  environment 
by: 

assessing  whether  the  current  mix  of 
centralized  and  decentralized  controls  is 
appropriate  to  meet  its  business  needs 
defining  clear  goals,  responsibilities  and 
accountabilities  for  control  systems'  design, 
implementation  and  monitoring 
documenting  its  decentralized  control 
environment  and  implementing  training 
programs  to  ensure  those  responsible  for 
business  processes  have  adequate  knowledge 
to  perform  their  duties 
monitoring  decentralized  controls  to  ensure 
processes  operate  effectively 

The  University  is  in  the  final  phase  of  a  multi-year 
business  transformation  project  called  Innovative 
Support  Services  (iS2).  The  project  is  focused 
on  improving  internal  controls,  clarifying  roles 
and  responsibilities,  leveraging  the  University's 
purchasing  power  and  process  automation, 
discovering  efficiencies  across  departments  and 
improving  cost  effectiveness. 

To  update  our  understanding  of  the  University's 
progress  to  implement  this  recommendation,  we 
interviewed  management,  reviewed  iS2  project 
documents  provided  to  the  audit  committee  and 
obtained  iS2  reports  such  as  the  Project  Charter 
and  Financial  Accountability  and  Authority 
Framework. 


Criteria:  the  standards  for  our  audit 

The  University's  control  environment  should  ensure 
that: 

business  processes  are  efficient  and  result  in 
timely  and  accurate  financial  and  non-financial 
information 

employees  have  adequate  knowledge  and  are 
properly  trained  to  perform  their  duties 


controls  are  well-designed,  understood, 
documented,  assessed  for  adequacy  and 
centrally  monitored  for  effectiveness 
roles  and  responsibilities  are  defined  to  ensure 
controls  are  properly  implemented,  improved, 
maintained  and  monitored 


Our  audit  findings 


Key  Points 


•  Key  deliverables  identified  for  implementation 
phase 

•  Financial  Accountability  and  Authority  Framework  is 
foundation  for  policies  and  changes  to  processes 

•  Final  implementation  expected  to  be  completed 
by  June  2011 

The  project's  planning  and  development  phases 
were  completed  in  October  2009.  These  phases 
included  detailed  planning  and  process  changes 
for  critical  support  services  in  human  resources, 
facilities  and  spend  management,  finance  and 
information  technologies.  The  iS2  project  team 
identified  key  deliverables  and  dates  for  each  work 
stream  for  the  implementation  phase  (phase  3). 

The  Financial  Accountability  and  Authority 
Framework  endorsement  by  the  Board  of 
Governors  is  a  key  milestone  of  the  implementation 
phase,  as  it  is  the  foundation  for  implementing  the 
policies  and  business  process  changes  expected 
throughout  the  final  two  phases  of  the  iS2  project. 
The  framework  clarifies  who  is  authorized  to  make 
decisions  and  who  is  accountable  for  delivering 
on  those  decisions,  relating  to  financial  resources. 
The  key  elements  of  the  framework  are  the  role- 
based  definitions  of  what  individuals  can  and 
cannot  do  and  role-based  dollar  value  thresholds 
for  approvals  for  operating,  capital  and  research 
expenditures.  We  have  reviewed  this  framework 
and  agree  it  defines  clear  goals,  responsibilities 
and  accountabilities  for  controls  systems'  design, 
implementation  and  monitoring. 
Other  key  priorities  of  the  implementation  phase 
include  the  following: 

preparing  to  establish  and  enable  a  campus- 
wide  shared  service  delivery  framework 
beginning  to  implement  widespread  compliance 
monitoring  with  key  policies  and  business 
processes 
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identifying  changes  to  core  financial  processes 
to  meet  the  unique  needs  of  research 
making  key  decisions  on  the  scope  of, 
initial  implementation  of  and  initial  business 
requirements  for  critical  PeopleSoft 
improvements 

The  priorities  of  the  final  phase  (phase  4)  focus  on 
implementing  and  adopting  new  accountabilities, 
authorities,  processes  and  policies  using 
PeopleSoft's  automated  workflows,  system  controls 
and  improved  access  to  information.  Key  areas 
include: 

the  Accountability  and  Authority  Framework 
being  enabled  by  PeopleSoft 
Shared  Service  Delivery  Team  deployed 
support  units  being  reorganized  as  required 
research  financial  processes  and  organization 
redesign  complete 

changes  to  core  financial  processes  to  meet 
the  unique  needs  of  research 
design  changes  to  PeopleSoft,  with  appropriate 
support  provided 

To  fully  implement  this  recommendation,  the 
University  must  adhere  to  the  key  activities  and 
timelines  identified  for  the  final  two  phases  of  the 
iS2  project.  Specifically,  the  University  needs  to 
complete  its  plan  to: 

document  its  control  environment  and 
implement  training  programs  to  ensure  those 
responsible  for  business  processes  have 
adequate  knowledge  to  perform  their  duties 
monitor  controls  to  ensure  processes  operate 
effectively 

Prepare  approved  budget  on  an 
accrual  basis — implemented 
Background 

In  our  October  1999  Report  (page  83),  we 
recommended  that  the  University  of  Calgary 
prepare  its  budget  on  an  accrual  basis,  reporting 
all  transactions  in  the  same  way  they  would  be 
reported  in  its  financial  statements. 

At  that  time,  we  found  that  the  University's  used 
a  cash  based  model  for  budgeting  instead  of  an 


accrual  model.  It  treated  certain  non-expense 
items,  such  as  capital  acquisitions  and  internal 
transfers,  as  operating  expenditures.  Also,  its 
budget  did  not  account  for  amortization  costs, 
donations,  pension  liability  changes  or  certain 
restricted  revenues  and  related  expenditures, 
such  as  sponsored  research,  and  showed  certain 
expenditures  on  a  net  basis  instead  of  a  gross 
basis. 


Our  audit  findings 


Key  Points 


•  Improved  budget  practices  resolved  deficiencies 

•  Budgets  are  prepared  on  an  accrual  basis 

The  University  fully  implemented  our  1999 
recommendation  by  preparing  its  recent  years' 
budgets  using  the  practices  it  uses  for  its  financial 
statements.  To  resolve  the  critical  deficiencies 
highlighted  in  our  original  audit,  University 
management  changed  its  budget  practices  to 
include: 

separating  and  excluding  non-expense  items 
such  as  capital  acquisitions  from  its  operating 
budget  expenses 

reflecting  previously  excluded  items  such  as 
amortization  costs,  restricted  revenues  and 
expenses,  and  annual  estimates  of  pension 
expenses 

preparing  a  separate  capital  budget,  which 
clearly  shows  how  the  planned  projects  are  to 
be  funded 

reporting  components  such  as  ancillary 
services  on  a  gross  basis,  showing  expected 
gross  revenues  and  expenses  instead  of  a  net 
result 

Balanced  budgeting — implemented 
Background 

In  our  October  1999  Report  (page  86).  we 
recommended  that  the  University  of  Calgary 
review  its  budgeting  process  to  determine  whether 
its  definition  of  a  balanced  budget  is  adequate 
to  ensure  programs  and  facilities  are  supported 
and  will  continue  to  be  supported.  A  balanced 
budget  should  consider  not  only  the  current  year's 
operating  revenues  and  expenses,  but  also  building 
a  sufficient  base  of  net  assets  to  sustain  future 
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needs  of  the  University.  It  should  also  reflect  the 
University's  commitment  to  allow  faculties  and 
business  units  to  carry  unspent  money  forward 
for  use  in  future  years.  The  University  calls  these 
commitments  carryover  reserves.  The  major  issues 
that  led  to  our  recommendation  were  that  the 
University: 

did  not  properly  budget  for  capital  expenditures 
and  amortization  costs.  It  based  capital 
expenditures  on  cash  revenues  remaining 
after  operating  needs  were  met  and  did  not 
budget  for  amortization  expenses.  Under  this 
approach,  the  budget  did  not  allow  for  sufficient 
funds  to  maintain  and  replace  the  University's 
capital  assets. 

did  not  have  a  capital  plan  that  identified 
strategies  for  funding  its  long-term  capital 
requirements 

did  not  have  sufficient  and  available  net  assets 
to  meet  carryover  reserves  commitments 
reported  at  $47.9  million  in  its  1997-1998 
financial  statements 

At  that  time,  we  stated  that  it  would  be  useful  for 
the  University  to  define  a  balanced  budget  as  one 
that  maintains  a  capital  base  (equity)  that  meets 
the  University's  overall  fiscal  needs.  Otherwise,  the 
existing  capital  base  could  be  consumed,  putting 
the  University  at  financial  risk. 


Our  audit  findings 


Key  Points 


•  Accrual  based  budgets  prepared 

•  Separate  capital  budget  prepared 

•  Implemented  stringent  spending  controls  over 
carryover  reserve  balances 

•  Reduced  unfunded  carryover  reserve 
commitments  by  $20  million 

•  University  faces  challenges  to  eliminate 
$11  million  deficit  and  sustain  operations 

The  University  has  substantially  implemented  the 
recommendation  through  several  measures.  These 
include: 

preparing  budgets  on  an  accrual  basis, 
including  budgeting  for  amortization  expenses 
and  preparing  a  separate  long-term  capital 
budget  with  identified  sources  of  capital  asset 
funding — This  approach  provides  the  University 
with  good  information  for  management 
to  decide  on  spending,  including  setting 


aside  sufficient  reserves  for  future  asset 
replacements  and  establishing  sources  of 
funds  for  capital  asset  acquisitions, 
performing  a  comprehensive  review  of 
historical  carryover  reserve  balances  (valued 
at  $47.9  million  in  the  fiscal  year  1998)  and 
other  internally  restricted  accounts — This 
review  resulted  in  stringent  disciplines  such 
as  removing  the  authority  from  faculties, 
departments  and  business  units  to  spend 
fiscal  year  2008  carryover  reserve  balances 
of  $28  million.  The  University  also  reduced 
its  unfunded  carryover  reserve  commitments 
by  $20  million  from  fiscal  year  1998  to  fiscal 
year  2009. 

improving  its  annual  budget  practices  through 
a  business  planning  process  that  includes 
forecasts,  a  four-year  business  and  capital 
plan,  resources  set  aside  for  contingencies  and 
internally  restricted  net  assets 
lowering  spending  rates  of  endowment 
investment  earnings  (reduced  from  4.875%  for 
fiscal  2009  to  4%  for  fiscal  2010) 

Although  the  University  made  substantial 
improvements  to  its  budget  processes,  the 
University  currently  faces  diverse  challenges  that 
reflect  the  importance  of  the  recommendations  we 
made  to  them  ten  years  ago.  These  include: 

eliminating  the  March  31,  2010  unrestricted  net 

deficit  of  $11  million 

minimizing  the  deferred  maintenance  liability, 
estimated  to  be  in  excess  of  $362  million 

The  University's  2009-2013  business  plan 
forecasts  operating  budget  deficits  ranging  from 
$17  million  to  $47  million  for  fiscal  years  2011  to 
2013.  The  University  has  set  goals  to  eliminate 
these  deficits.  For  example,  a  performance 
measure  in  the  2009-2013  business  plan  targets 
a  level  of  unrestricted  net  assets  with  a  positive 
balance  of  $50  million  at  the  end  of  the  201 2-201 3 
fiscal  year.  The  University's  management  and 
Board  understand  the  need  to  resolve  its  deficit 
position  and  better  use  resources  allocated  to 
it.  It  is  taking  steps  to  live  within  its  means.  For 
example,  the  University  is  working  on  a  multi-year 
business  transformation  project,  called  iS2  with  a 
goal  to  reduce  its  administrative  costs  and  improve 
efficiencies. 
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The  University  is  also  working  with  the  Department 
of  Advanced  Education  and  Technology  to  reduce 
its  deferred  maintenance  liability. 

Improve  payroll  controls — implemented 

In  our  October  2009  Report,  (page  154),  we  noted 
that  for  salaried  employees,  exception  time,  such 
as  overtime,  vacation  or  sick  leave,  is  entered  into 
PeopleSoft  at  the  department  level.  Employee's 
managers  must  approve  the  time  in  PeopleSoft. 
However.  Central  Human  Resources  automatically 
approved,  on  a  mass  basis,  any  exception  time  not 
approved  by  an  employee's  manager. 

The  current  process  requires  that  a  time  and  labor 
specialist  review  and  request  departments  to 
approve  any  unapproved  time.  The  specialist  will 
also  follow  up  with  departments  who  have  not  yet 
approved  time  from  the  previous  pay  cycle.  The 
University  does  not  include,  in  the  pay  run,  any 
time  that  has  not  been  appropriately  approved.  We 
did  not  identify  any  instances  of  mass  approvals  of 
exception  time  since  the  University  implemented 
this  process. 

Improving  executive  compensation 
processes — implemented 

In  our  October  2009  Report  (no.  18— page  146), 
we  recommended  that  the  University  establish 
systems  and  processes  to  guide  all  aspects  of 
compensation,  including  timely  negotiation  and 
completion  of  pension  and  employment  contract 
arrangements  for  senior  executive  positions. 

The  University  has  implemented  this 
recommendation.  In  April  2009,  the  Board  of 
Governors  replaced  its  Senior  Compensation 
Committee  with  a  Human  Resources  and 
Governance  Committee.  The  Committee's  purpose 
is  to  advise  and  guide  the  Board  of  Governors 
on  governance  practices,  human  resources  and 
compensation  matters. 

In  February  2010,  the  Board  approved  an  interim 
executive  compensation  approval  process 
recommended  by  the  Committee.  The  interim 


approval  process  requires  general  counsel  to 
review  offers  that  create  a  long-term  obligation  for 
the  University.  This  process  was  used  to  determine 
the  compensation  for  the  newly  appointed 
president. 

Improving  controls  over  journal 
entries — implemented 

In  our  October  2008  Report  (page  217),  we 
recommended  that  the  University  of 
Calgary  improve  controls  for  approvals  and 
documentation  of  journal  entries.  We  repeated 
the  recommendation  in  our  October  2009  Report 
(page  157). 

The  University  approved  a  new  Journal  Entry 
Policy,  effective  March  2010.  It  defines  the  roles 
of  the  journal  creator  and  approver,  and  clarifies 
the  responsibilities  and  accountabilities  associated 
with  each  role.  The  policy  aims  to  ensure  that 
journal-entry  transactions  are  correct,  reviewed 
and  substantiated  by  sufficient  supporting 
documentation.  In  addition  to  the  policy,  the 
University  has  taken  steps  to  validate  that  journal 
creators  and  approvers  read,  understand  and 
agree  to  comply  with  the  policy.  As  part  of  creating 
and  approving  journal-transaction  entries,  the 
PeopleSoft  system  will  not  allow  journals  to  be 
processed  without  proper  review  and  approval. 

Controls — Research  and  trust 
accounts — implemented 

In  our  October  2004  Report  (page  257),  we 
recommended  that  the  University  of  Calgary 
improve  controls  over  sponsored  research  and 
trust  accounts.  We  repeated  it  in  our  October 
2007  Report  (page  15).  We  identified  deficiencies 
in  the  processes  for  monitoring  over-expended 
projects,  reporting  to  research  sponsors,  monitoring 
research  and  trust  aged-receivables  and  updating 
the  University's  Signing  Authority  Policy.  Last 
year,  we  followed  up  the  University's  progress  in 
addressing  the  deficiencies  and  confirmed  that  the 
University  had  successfully  dealt  with  three  of  the 
four  areas  of  the  deficiencies. 
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The  remaining  deficiency  was  that  the  University's 
Signing  Authority  Policy  did  not  delegate  signing 
authority  to  researchers,  principal  investigators 
or  research  staff  buying  goods  and  services. 
The  signing  authority  policy  has  been  updated 
to  include  appropriate  staff  from  Research  and 
Development. 

General  computer  controls — 
implemented 

In  our  October  2006  Report  (vol.  2— page  20),  we 
recommended  that  the  University  strengthen  the 
overall  computer  control  environment  by  clearly 
defining  the  role  and  responsibilities  of  the  Chief 
Information  Officer  and  resolving  deficiencies  in  the 
following  areas: 

defining  standards 

strategic  planning 

risk  assessment  and  mitigation 

IT  disaster  recovery  planning 

day-to-day  operations 

Our  recommendation  included  11  specific  control 
activity  areas  for  the  University  to  implement. 
The  University's  management  agreed  with  the 
recommendation  and  the  11  areas  for  improvement 
and  started  a  project  to  develop  and  implement 
efficient  and  effective  procedures  to  remediate 
them. 

In  previous  years,  the  University  successfully 
implemented  six  control  areas.  This  year, 
we  followed-up  on  the  University's  progress 
implementing  the  final  five  control  areas.  The 
University  successfully  implemented  four  of  the 
five  remaining  control  areas.  We  now  consider 
this  recommendation  effectively  implemented. 
We  will  follow-up  on  the  final  outstanding  control 
activity — no  standards  for  business  cases  or 
post-implementation  reviews  of  completed 
projects — through  the  IT  governance  and  IT  control 
framework  recommendation. 

University  of  Lethbridge 

Endowment  policies 
Background 

The  University  had  approximately  $34.5  million  in 
endowments  as  at  March  31,  2010.  Earnings  from 

118 


endowment  investments  support  scholarships, 
bursaries  and  teaching.  An  objective  of  the 
University's  Endowment  Management  Policy  is  to 
administer  endowments  to  meet  annual  spending 
requirements  while  preserving,  as  much  as 
possible,  the  economic  value  (that  is,  to  inflation- 
proof)  of  the  original  endowment  funds. 

The  University  allocates  all  investment  income 
earned  to  a  capitalized  investment  earnings 
account.  It  allocates  a  "spending  allocation" 
from  this  account,  to  pay  for  related  endowment 
expenses.  The  policy  also  requires  the  University  to 
allocate  to  the  capitalized  investment  account  any 
unspent  funds. 

While  some  donors  encourage  spending 
all  endowment  investment  earnings,  others 
expect  institutions  to  preserve  the  real  value  of 
endowments  over  time.  As  an  example,  in 
2005-2006,  the  Government  of  Alberta  began  to 
preserve  the  real  value  of  the  Alberta  Heritage 
Savings  Trust  Fund  by  retaining  a  portion  of 
investment  earnings  in  the  fund. 


Recommendation:  improve  endowment 
policies 


RECOMMENDATION 


We  recommend  that  the  University  of 
Lethbridge  improve  its  endowment  policies  and 
procedures  by: 

clarifying  its  goals  for  preserving  the  real 
value  of  endowments,  and  how  it  plans  to 
achieve  this 

tracking  investment  income  between 
amounts  for  preserving  the  real  value  of 
investments  and  amounts  available  for 
spending 

Criteria:  the  standards  for  our  audit 

The  University  should  have: 

established  goals  and  performance  measures 
to  preserve  endowments,  and  administrative 
policies  and  processes  to  ensure  it  meets  those 
goals 

clear  policies  to  guarantee  long-term 
sustainability  of  spending  from  endowment 
investment  earnings 
procedures  to  ensure  that  investment 
managers  account  for  investment  income  in 
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accordance  with  generally  accepted  accounting 
principles 


Our  audit  findings 


Key  Points 


•  No  clear  goals  to  inflation-proof  endowments  or 
ways  to  track  if  it  is  achieving  the  goal 

•  Unclear  if  University  is  preserving  endowments 

•  Errors  corrected  in  University's  2009  and  2010 
financial  results 

The  University's  endowment  objective  is  to 
preserve  the  economic  value  of  endowments 
as  much  as  possible.  To  that  end,  the  University 
allocates  excess  investment  income  to  the 
capitalized  investment  income  account.  However,  it 
does  not  have: 

clear  goals  or  a  plan  for  preserving  the 
economic  value  of  endowments 
a  way  to  track  the  portion  of  the  capitalized 
investment  account  needed  to  preserve  the 
economic  value  of  endowments  and  determine 
how  much  is  available  for  spending  in  current 
and  future  years 

As  a  result,  the  University  is  unable  to  determine  if 
the  amount  it  allocates  to  the  capitalized  investment 
earnings  preserves  or  exceeds  the  economic  value 
of  the  endowments.  The  University  should  clarify 
its  policies  to  indicate  how  it  plans  to  preserve  the 
economic  value  of  endowments.  It  should  also 
improve  its  processes  to  track  investment  income 
by  distinguishing  between  amounts  available  for 
spending  and  needed  for  preserving  the  economic 
value  of  each  endowment.  This  process  should 
include  setting  a  target  economic  value,  identifying 
its  actual  value  and  identifying  any  encroachment. 

In  addition,  the  University  incorrectly  recorded 
investment  income  from  external  endowment 
contributions  that  are  used  for  spending  as 
direct  increases  to  endowment  net  assets.  The 
University  adjusted  the  2010  and  2009  financial 
statements  by  $740,000  and  $425,000  respectively 
to  recognize  the  investment  income  as  revenue  to 
match  the  corresponding  expenses.  The  University 
also  recorded  the  unspent  investment  income 
as  a  direct  increase  to  net  assets.  However, 
the  University  has  not  formally  established  the 


"inflation-proofing  portion"  of  the  endowment 
investment  income.  Once  the  University  determines 
the  amount  needed  to  preserve  the  endowments, 
it  should  record  any  excess  investment  income  as 
deferred  contributions,  instead  of  endowments. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  clear  goals  to  preserve  the  endowment 
balance  and  an  endowment  policy  that  defines  the 
recapitalization  to  manage  endowment  earnings, 
the  University  may  be  exposed  to  inconsistent 
spending  and  recapitalization  practices  and  may 
not  be  meeting  donors'  expectations. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
for  the  following  entities  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 

Ministry  of  Advanced  Education  and 

Technology 

Department  of  Advanced  Education  and 
Technology 

Access  to  the  Future  Fund 

Alberta  Enterprise  Corporation 

Alberta  Innovates — Bio  Solutions 

Alberta  Innovates — Energy  and  Environment 

Solutions 

Alberta  Innovates — Health  Solutions  and 
its  subsidiary  Alberta  Foundation  for  Health 
Research 

Alberta  Innovates — Technology  Futures  and  its 
subsidiary  CFER  Technologies  Inc. 
Athabasca  University 
University  of  Alberta 
University  of  Calgary 
University  of  Lethbridge 

To  be  reported  in  April  2011 
Our  April  201 1  report  will  include  the  results  of  the 
financial  statement  audits  of  the  following  entities 
that  have  a  June  30,  2010  year  end: 

Alberta  College  of  Art  and  Design 

Bow  Valley  College 

Grande  Prairie  Regional  College  and  its  related 
entity  Fairview  College  Foundation 
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Grant  MacEwan  University  and  its  related  entity 

Grant  MacEwan  University  Foundation 

Keyano  College 

Lakeland  College 

Lethbridge  College 

Medicine  Hat  College 

Mount  Royal  University  and  its  subsidiary/ 

related  entities  Mount  Royal  University  Day 

Care  Society  and  Mount  Royal  University 

Foundation 

NorQuest  College 

Northern  Alberta  Institute  of  Technology  and  its 
related  entity  the  Northern  Alberta  Institute  of 
Technology  Foundation 
Northern  Lakes  College 
•     Olds  College 
Portage  College 
Red  Deer  College 

Southern  Alberta  Institute  of  Technology 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


The  Department  of  Agriculture  and  Rural 

Development  has  implemented: 

our  October  2006  recommendation  to  verify 
information  on  Farm  Fuel  Benefits  applications 
and  require  regular  renewal — see  below 
our  October  2003  recommendation  on 
performance  measurement — see  below 
our  October  2000  recommendation  to  improve 
management  information — see  page  122 

Agriculture  Financial  Services  Corporation  should: 
improve  its  processes  to  determine  the  specific 
loan  loss  allowance — see  page  122 
improve  its  processes  for  conducting 
compliance  audits  and  investigations — see 
page  123 

Agriculture  Financial  Services  Corporation: 
implemented  our  October  2009 
recommendation  to  perform  a  quarterly  review 
of  its  investments — see  page  126 
had  changed  circumstances  that  make  our 
October  2009  recommendation  to  verify  the 
cost  effectiveness  of  debt  restructuring  not 
applicable — see  page  127 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Department  of  Agriculture  and 
Rural  Development 

Verifying  eligibility  for  Farm  Fuel  Benefit 

program — implemented 

Background 

The  Alberta  Farm  Fuel  Benefit  program  provides 
farmers  with  a  tax  exemption  benefit,  allowing 


them  to  purchase  dyed  gasoline  and  diesel  that 
is  exempt  from  the  90/litre  provincial  fuel  tax. 
In  addition,  the  Alberta  Farm  Fuel  Distribution 
Allowance  (AFFDA)  further  reduces  the  cost  of 
marked  diesel  fuel  by  60/litre.  The  current  fuel 
tax  on  propane  is  6.50/litre,  and  propane  used  for 
farming  purposes  is  exempt  from  this  tax. 


Our  audit  findings 

In  our  October  2006  Report  (no.  24,  vol.  2— 
page  37),  we  recommended  that  the  Department  of 
Agriculture,  Food  and  Rural  Development  improve 
its  administration  of  the  Alberta  Farm  Fuel  Benefit 
program  by: 

verifying  information  on  completed  program 

application  forms 

requiring  applicants  to  regularly  renew  their 
registration  in  the  program 

In  December  2008,  the  Department  started  a 
three-year  continuous  Alberta  Farm  Fuel  Benefit 
program  renewal  process.  Each  year,  the 
Department  contacts  one-third  of  AFFB  program 
registrants  to  renew  their  AFFB  registration 
number  and  update  their  renewal  forms.  The 
renewal  information  is  used  to  determine  if 
producers  are  still  eligible  to  use  marked  fuel  in 
their  farming  operations.  Renewals  for  2008  and 
2009  are  substantially  complete;  they  resulted  in 
approximately  5,000  producers  being  cancelled. 
We  reviewed  the  renewal  and  verification  process 
and  are  satisfied  that  the  process  ensures  the 
eligibility  of  recipients. 

Improve  the  process  to  compile  Ministry 
performance  measures — implemented 
Background 

We  followed  up  on  our  October  2003  Report 
(no.  3 — page  49)  recommendation  for  the 
Department  to  strengthen  the  process  used  to 
compile  its  performance  measures. 
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Our  audit  findings 

The  Department  has  designated  a  performance 
measures  manager  and  a  performance  measures 
analyst  to  support  the  process,  and  used  standard 
performance  measure  templates  to  document  the 
measures.  Results  were  available  promptly. 
Management  also  significantly  strengthened  the 
quality  review  process  of  draft  results  before 
including  them  in  the  draft  annual  report.  Our 
review  of  the  narrative  sections  for  the  reviewed 
performance  measures  identified  no  significant 
errors.  This  supports  the  conclusion  that  the 
Department  carefully  performed  the  review  process 
to  ensure  that  accurate,  reliable  numbers  are 
included  in  the  draft  annual  report. 

Improved  management  information — 

implemented 

Background 

We  followed  up  on  our  October  2000  Report 
(page  44)  recommendation  for  the  Department  to 
improve  performance  reporting,  thereby  providing 
better  management  information  for  decision-making 
and  enabling  the  Department  to  better  align  its 
annual  report  with  its  business  plan. 


Our  audit  findings 

The  Department  implemented  a  new  system — 
OPAR  (Operational  Planning  and  Reporting 
System) — as  a  tool  to  capture  and  report 
operational  data. 

OPAR  facilitates  development  of  a  Ministry 
operational  plan  and  enables  review  of  sector 
and  division  operational  plans  across  the 
Department.  OPAR  encompasses  the  strategies 
and  performance  measures  from  the  Department's 
business  plan,  as  well  as  day-to-day  business 
activities  and  targets  from  performance  reporting 
criteria  such  as  the  Deputy  Minister's  performance 
contract  and  long-term  strategic  objectives. 

The  Department  trained  all  divisions  on  how  to 
use  the  system.  The  divisions  have  entered  their 


operational  plans  into  OPAR  and  followed  the 
templates  provided.  The  Department  is  further 
fine-tuning  the  information  in  divisional  operational 
plans.  The  reporting  system  is  in  place  and 
divisions  are  using  OPAR  on  a  quarterly  basis  to 
update  management  information,  support  decision 
making,  and  align  the  strategic  and  operational 
decisions  with  performance  indicators. 

Agriculture  Financial  Services 
Corporation 

Specific  loan  loss  allowance 
Background 

The  loan  loss  allowance  is  an  estimate  of  the 
losses  that  exist  in  AFSC's  loan  portfolio  at  a 
specific  time.  The  loan  loss  allowance  has  two 
parts — the  specific  loan  loss  allowance  and  the 
general  loan  loss  allowance. 

The  specific  allowance  for  loan  losses  is  made 
on  accounts  that  are  individually  identified  as  being 
impaired.  The  specific  allowance  calculation  is 
derived  from  total  debt,  less  the  interest  revenue 
(which  is  not  recognized  on  impaired  loans),  less 
the  net  present  value  of  security. 

AFSC's  specific  loan  loss  allowance  as  at 
March  31,  2010  is  $7.5  million.  It  includes 
31  accounts,  representing  0.5%  of  AFSC's  loan 
portfolio  ($1,302  million  and  over  10,000  accounts). 


Recommendation:  verify  accuracy  of 
specific  loan  loss  allowance 


RECOMMENDATION 


We  recommend  that  Agriculture  Financial 
Service  Corporation  improve  the  effectiveness 
of  processes  to  determine  the  specific  loan  loss 
allowance  on  impaired  loans. 


Criteria:  the  standards  for  our  audit 

The  specific  loan  loss  allowance  should  be 
accurately  recognized  using  AFSC's  methodology, 
and  reviewed  promptly  by  knowledgeable 
authorized  personnel,  to  ensure  that  the  lending 
portfolio  is  fairly  stated. 
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Our  audit  findings 


Key  Points 


•  Calculation  errors  in  specific  loan  loss  allowance 

•  Ineffective  review  of  calculated  allowance 

We  examined  AFSC's  list  of  impaired  loans  as  of 
December  31 ,  2009,  and  tested  the  controls  on  the 
calculation  of  the  specific  allowance,  security 
values  and  estimated  costs  to  collect.  We  found  the 
following  errors  in  the  control  testing: 

In  four  out  of  10  loans  that  we  examined,  the 
calculation  of  the  specific  loan  loss  allowance 
was  inaccurate  and  did  not  comply  with  AFSC's 
policy.  This  resulted  in  an  overstatement  of  the 
specific  allowance  of  S406.000.  By  year  end, 
AFSC  had  corrected  the  error. 
In  three  out  of  16  loans  that  we  sampled, 
the  estimated  costs  to  collect  did  not 
comply  with  AFSC's  policy.  The  account 
managers  overlooked  deducting  prior 
charges,  or  calculated  the  costs  to  collect 
based  on  multiple  loans.  This  resulted  in  an 
overstatement  of  costs  to  collect  and  of  the 
specific  allowance  of  $1 37,000.  By  year-end, 
AFSC  had  developed  a  spreadsheet  to  ensure 
costs  to  collect  are  within  policy  and  would  be 
reviewed  on  a  quarterly  basis. 
Five  out  of  12  impaired  loans  that  we  reviewed 
had  discrepancies  in  their  security  values  in 
the  two  lending  systems.  These  differences 
resulted  in  understatement  of  the  specific  loan 
loss  allowance  of  $458,000.  By  year-end, 
AFSC  had  developed  a  spreadsheet  to 
compare  security  values  between  the  two 
systems.  Management  reviewed  results 
quarterly. 

We  performed  further  testing  on  the  specific  loan 
loss  allowance  at  year-end.  We  found  the  following 
errors  through  our  testing: 

Three  of  25  loans  were  impaired  in  April  201 0, 
although  the  underlying  conditions  for  a 
doubtful  loan  existed  before  March  31,  2010. 
This  resulted  in  an  understatement  of  the 
specific  loan  loss  allowance  of  $107,000. 
Four  of  25  loans  were  not  impaired  as  at 
March  31,  2010,  although  the  indicators  of 


impairment  existed  (payment  in  arrears, 
security  shortfall  between,  security  actions, 
etc.).  This  resulted  in  an  understatement  of  the 
specific  loan  loss  allowance  of  $999,000. 
These  loans  were  not  captured  by  the  general 
loan  loss  report,  as  loans  in  security  action  will 
not  be  reported  on  the  general  reserve  report 
(the  assumption  was  that  those  loans  will  be 
specifically  impaired).  AFSC  is  revising  the 
criteria  for  the  general  loan  loss  allowance  to 
capture  these  loans  in  future  years. 

These  errors  arose  because  AFSC  did  not  perform 
an  effective  review  to  ensure  that  the  specific 
allowance  was  appropriately  recognized  on 
impaired  loans.  After  we  identified  the  errors,  AFSC 
recorded  a  correcting  adjustment  in  the  financial 
statements. 

Implications  and  risks  if  recommendation 
not  implemented 

Inaccurate  calculation  of  the  specific  loan  loss 
allowance  may  result  in  misstated  financial 
statements.  In  addition,  AFSC's  Board  and  senior 
management  may  not  have  sufficient  information  to 
monitor  and  manage  the  lending  portfolio. 

Cross-compliance  review 
Background 

AFSC  runs  several  programs  and  offers  many 
products  to  support  the  business  needs  of  farmers, 
the  agriculture  industry  and  small  businesses  in 
Alberta.  Its  main  program  areas  are  lending  and 
business  risk  management  (BRM).  BRM  programs 
include  income  stabilization,  disaster  assistance 
and  insurance. 

In  2008-2009,  AFSC  provided  $662  million  to 
Alberta  producers  through  three  programs — 
AgriStability, 1  Agrilnvest2  and  Production 


AgriStability  provides  support  when  a  producer  experiences 
larger  farm  income  losses.  The  program  covers  declines 
of  more  than  15%  in  a  producer's  average  income  from 
previous  years. 

Agrilnvest  is  a  savings  account  for  producers,  supported 
by  governments.  It  provides  coverage  for  small  income 
declines  and  allows  for  investments  that  help  mitigate  risks 
or  improve  market  income. 
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Insurance.3  The  breakdown  of  AFSC's  program 
expenses4  are  as  follows: 


Agrilnvest 

and 
AgriStability 

(in  thousands) 

Production 
Insurance 

Lending 

Hail 
Insurance 

Other 

Total 

$357,014 

$304,754 

$80,026 

$79,821 

$8,227 

$829,842 

43% 

37% 

10% 

9% 

1% 

100% 

Table  1 :  AFSC's  Program  Expenses  Breakdown 


Four  departments  report  to  AFSC's  vice-president 
of  risk  management:  Business  Risk  Management, 
Insurance  Operations,  Program  Development 
and  Policy  and  Program  Cross-Compliance  and 
Investigations  Group  (PCCI). 

AFSC's  program  areas  are  responsible  for  filing 
and  processing  claims  submitted  for  various 
programs  offered  byAFSC  and  ensuring  claims 
comply  with  program  guidelines.  PCCI  was  created 
from  an  identified  need  to  have  a  separate  group 
dedicated  to  reviewing  the  accuracy,  reliability  and 
integrity  of  information  provided  by  customers  to 
AFSC.  PCCI  is  responsible  for  identifying  areas  of 
non-compliance  and  inconsistencies  in  information 
provided  by  customers  within  and  between 
programs  to  protect  the  integrity  of  AFSC's 
programs.  Alberta  is  one  of  the  first  provinces  to 
have  a  group  like  PCCI. 

Files  reviewed  by  PCCI  are  either  identified  and 
selected  by  PCCI  or  are  referred  from  complaints 
or  concerns  received  by  parties  either  internal 
or  external  to  AFSC.  Once  a  file  is  selected  or 
referred,  PCCI  assesses  the  file  to  determine 
whether  an  investigation  is  warranted.  The 
preliminary  assessment  includes  extracting  and 
analyzing  data  obtained  from  AFSC  program 
databases  and  reviewing  it  for  non-compliance  or 
inconsistencies. 

If  non-compliance  or  inconsistencies  are  found, 
the  file  is  further  assessed  for  causes  such  as  a 

3  Production  Insurance  includes  insurance  against 
production  losses  for  specific  perils  (weather,  pests, 
disease)  and  is  being  expanded  to  include  more 
commodities. 

4  Based  on  AFSC's  2008-2009  Annual  Report,  reported  in 
thousands  of  dollars  less  AFRP  II  program  of  $300  million. 
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misunderstanding,  misrepresentation,  an  error  or 
an  alleged  act  to  commit  fraud.  This  determination 
is  made  through  interviews  with  AFSC  staff, 
program  participants,  business  associates  and 
authorized  representatives,  to  identify  and  clarify 
inconsistencies  in  information  provided.  PCCI 
must  apply  knowledge  of  AFSC's  programs  as 
well  as  the  Agriculture  Financial  Services  Act  and 
regulations,  federal — provincial  agreements,  and 
policy  and  procedures  governing  the  programs. 

If  there  appears  to  be  an  alleged  fraud  or 
misrepresentation,  PCCI's  investigations  will 
involve  legal  counsel,  the  RCMP  and  Crown 
prosecutors.  In  these  instances,  PCCI  is  the  lead  to 
prepare  exhibits,  act  as  a  key  witness  and  ensure 
adequate  file  documentation  exists  to  support 
the  work  performed,  findings,  conclusions  and 
recommendations.  PCCI  works  with  legal  counsel 
and  this  may  involve  examinations  under  oath  in 
civil  litigation  and  criminal  prosecution. 

Upon  completion  of  a  file  review,  examination  or 
investigation,  PCCI  provides  recommendations  to 
program  administration  staff  to  reassess  program 
benefit  entitlements.  PCCI  also  reports  any  control 
weaknesses  identified  as  a  result  of  its  file  reviews, 
and  recommends  areas  for  policy  and  procedure 
improvements. 


Recommendation:  improve  processes  for 
conducting  compliance  audits 


RECOMMENDATION  NO.  12 


We  recommend  Agriculture  Financial  Services 
Corporation  improve  its  processes  for 
conducting  compliance  audits  and  investigations 
by: 

clearly  defining  the  roles  and  responsibilities 
of  the  Program  Cross  Compliance  and 
Investigations  group 

improving  the  coordination  between  PCCI 
and  program  areas 

Criteria:  the  standards  for  our  audit 

AFSC  should  have  effective  processes  for 
conducting  compliance  audits  and  resolving  issues 
between  the  program  areas  and  PCCI. 
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Our  audit  findings 


Key  Point 


Need  to  improve  collaboration  between  PCCI  and 
program  areas  and  clarify  role  of  PCCI  within  AF5C 

PCCI  has  systems  to  conduct  its  compliance  audits 
and  investigations.  Generally,  they  work  effectively. 
However,  processes  to  guide  collaboration  between 
PCCI  and  the  program  areas  need  to  be  clarified  to 
establish  better  procedures,  responsibilities  and 
authorities.  We  also  found  PCCI  can  improve  its 
processes  for  selecting  files  to  review. 

We  examined  the  systems  used  by  PCCI  for 
conducting  compliance  audits  during  the  year 
ending  March  31,  2009.  Our  work  included 
examining  a  number  of  files  reviewed  by  PCCI  and 
their  processes  for  completing  investigations  and 
collaborating  with  the  program  areas  on  the  results 
of  the  investigations.  The  following  is  a  summary  of 
the  findings  from  our  audit. 

PCCI's  roles  and  responsibilities — PCCI's  role 
is  to  support  the  program  areas  within  AFSC  by 
conducting  compliance  verification  procedures. 
PCCI's  mission  statement  outlines  its  scope  and 
responsibilities,  which  include  reviewing  high-risk 
files  to  protect  the  integrity  of  AFSC's  programs. 

We  examined  a  sample  of  four  files  that  had  been 
assigned  to  PCCI  for  review,  but  were  transferred 
back  to  the  Business  Risk  Management  Unit 
prior  to  completion  by  PCCI.  These  files  were 
complex;  obtaining  supporting  documentation 
was  difficult.  At  the  time  of  our  review,  two  files 
had  been  completed  by  the  BRM  unit,  but  they 
were  continuing  work  on  the  others.  We  made  the 
following  observations: 

The  results  from  PCCI's  preliminary  review 
were  different  from  the  final  results  processed 
by  BRM  for  two  of  the  files.  There  was  no 
process  to  assess  the  differences  in  the 
approach  and  involve  PCCI  in  the  final 
assessment. 

Initially  there  was  no  documentation  showing 
the  direction  senior  management  gave  the 
BRM  specialists  at  the  time  the  files  were 
transferred  to  them,  nor  support  as  to  why  the 


files  were  transferred  back  to  BRM  prior  to 
PCCI  completing  their  work. 
There  was  no  documentation  of  the  criteria 
the  BRM  specialists  used  to  evaluate  the 
files,  making  it  difficult  to  determine  if  program 
guidelines  were  used  consistently  by  the 
various  specialists  involved  in  reviewing  these 
files. 

Since  we  raised  this  issue,  BRM  staff  documented 
the  criteria  for  file  selection,  review  procedures,  and 
conclusions  on  the  results  of  their  reviews.  Senior 
management  needs  to  complete  a  final  review  of 
the  results  and  conclusions. 

Criteria  for  referring  files  to  PCCI— The  program 
areas  did  not  have  criteria  to  identify  which  files 
to  refer  to  PCCI.  Each  program  area,  with  input 
from  PCCI,  should  establish  criteria  to  identify 
when  information  submitted  on  a  claim  requires 
further  analysis  and  review.  Each  criterion  should 
be  regularly  reviewed  and  updated  based  on  trend 
analysis,  current  issues  and  high-risk  situations 
identified  by  program  areas  and  PCCI.  The  criteria 
should  be  the  basis  for  determining  which  files  are 
referred  to  PCCI  from  the  program  area. 

Verification  of  the  methodology  used  by  PCCI — 

Once  a  file  was  selected  or  transferred  to 
PCCI,  they  conducted  their  overview  and  risk 
assessment  of  the  file.  PCCI  did  not  confirm  their 
key  assumptions,  estimates,  program  guideline 
interpretations  and  methodology  with  the  program 
area  at  this  stage  of  their  review.  After  completing 
their  review,  PCCI  reported  their  findings  and 
proposed  adjustments  back  to  the  program  area. 
The  program  areas  have  the  final  authority  to 
conclude  on  claim  submissions,  and  do  not  have  to 
accept  PCCI's  findings.  We  found  there  was  limited 
communication  between  PCCI  and  the  program 
areas  throughout  PCCI's  review  process. 

Vetting  at  an  earlier  stage  of  PCCI's  review  process 
would  help  avoid  disagreements  with  PCCI's 
findings  after  completion  of  their  investigation. 
Consensus  should  be  reached  with  regards  to 
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interpretation  of  program  guidelines,  appropriate 
supporting  documentation  obtained  to  support 
claim  submissions  and  any  other  issues  deemed 
necessary.  Consultation  between  PCCI  and 
the  program  areas  should  occur  throughout  the 
process  of  PCCI's  review  especially  when  key 
assumptions  or  estimates  are  used  to  derive 
information  on  the  claim  submission. 

Resolution  of  file  investigations — AFSC  lacked 
formal  procedures  to  indicate  which  group, 
PCCI  or  the  program  area,  has  the  authority  and 
responsibility  to  decide  when  external  legal  counsel 
must  be  consulted  and  engaged  to  bring  resolution 
to  an  issue.  We  found  that  PCCI  was  performing 
this  work;  however,  there  is  no  formal  documented 
authority  allowing  PCCI  staff  to  represent  AFSC 
during  litigation  proceedings. 

Establishing  hold  on  payments — Once  PCCI 
selected  a  file  to  be  examined,  they  notified  finance 
to  hold  payments  to  the  producer  until  PCCI 
completed  their  review.  Some  PCCI  investigations 
required  extensive  work,  which  resulted  in  a 
producer's  file  being  put  on  hold  for  a  long  time. 
Some  producer's  may  have  their  file  reviewed 
by  PCCI  based  on  a  random  selection  process. 
It  takes  PCCI  one  to  two  weeks  to  complete  a 
preliminary  risk  assessment  of  a  file.  Normally, 
as  a  result  of  this  high  level  review,  PCCI  would 
determine  whether  potential  issues  require  further 
investigation.  To  prevent  unnecessary  delays  in 
payments  to  producers,  particularly  those  randomly 
selected  with  no  known  issues,  holds  on  payment 
could  be  considered  after  PCCI  completes  a 
preliminary  risk  assessment  and  identifies  potential 
issues. 

Responsibility  for  collections — AFSC  has 
not  defined  which  department  is  responsible  for 
collections  on  overpayments  for  producers.  There 
are  various  collection/offset  methods  that  must 
be  considered  in  the  event  of  an  overpayment, 
therefore,  determining  ownership  of  this  role  is 
important. 


Program  policies  and  procedures — When 
PCCI  completes  a  file  review,  examination  or 
investigation,  it  should  document  any  internal 
control  weaknesses  for  consideration  in  improving 
internal  processes  by  the  program  areas.  We 
did  not  observe  any  examples  of  identified 
improvements  from  PCCI  being  accepted  and 
implemented  by  the  program  areas. 

PCCI  process  for  selecting  claim  files  to 
review — PCCI  selected  files  to  examine  based 
on  the  dollar  value  of  the  claim,  linkage  to  another 
claim  being  reviewed,  random  selection  and 
through  complaints  received.  PCCI  could  improve 
the  selection  process  by  data-mining  program  data 
to  identify  high-risk  situations. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  proper  processes  in  place,  PCCI  may 
not  be  able  to  fulfil  its  mission  of  reviewing  the 
information  provided  by  customers  to  protect  the 
integrity  of  AFSC's  programs.  Also,  improved 
coordination  between  PCCI  and  the  program  areas 
will  enhance  efficiencies  in  conducting  compliance 
reviews. 

Investment  portfolio  analysis — 

implemented 

Background 

In  our  October  2009  Report  (page  170),  we 
recommended  AFSC  perform  a  quarterly  review  of 
its  investments. 


Our  audit  findings 

We  found  that  AFSC  has  implemented  a  formal 
process  to  analyze  the  performance  of  its  portfolio 
investments.  On  a  quarterly  basis,  AFSC  reviews 
losses  in  value  of  the  portfolio  and  assesses 
whether  a  write-down  is  required  based  on  the 
following  criteria: 

if  the  loss  is  other  than  temporary 

if  the  percentage  decrease  in  the  market  value 

compared  to  the  carrying  value  is  significant 

(over  20%) 
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We  are  satisfied  that  this  review  process  will  ensure 
AFSC's  investments  are  properly  valued. 

Note  payable  repurchase — changed 

circumstances 

Background 

In  our  October  2009  Report  (page  1 70), 
we  recommended  that  AFSC  verify  the 
cost-effectiveness  of  debt  restructuring. 


Our  audit  findings 

We  learned  that  AFSC  did  the  debt  restructuring 
as  a  one-time  event  on  a  trial  basis.  It  has  no 
plans  to  use  debt  restructuring  as  a  regular 
cash  management  strategy  in  the  future.  The 
government  bonds  that  AFSC  purchases  are 
not  callable,  so  another  repurchase  is  not  likely 
to  happen  in  the  near  future.  AFSC  is  analyzing 
pursuing  hedging  and  derivative  markets  to 
mitigate  the  interest  rate  risk.  AFSC's  new  strategy 
for  mitigating  interest  rate  risks  makes  this  prior 
recommendation  now  invalid  due  to  changed 
circumstances. 


Financial  statements 


Our  auditor's  opinions  on  the  Ministry's  and 
Department's  financial  statements  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 

Our  auditor's  opinions  on  the  Agriculture  Financial 
Services  Corporation's  financial  statements  for 
the  years  ended  March  31 ,  2010  and  2009,  were 
unqualified. 

Our  auditor's  opinions  on  the  Alberta  Livestock  and 
Meat  Agency's  financial  statements  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


Previously,  we  recommended  that  the  Ministry 
complete  its  risk  assessment  and  use  this  risk 
assessment  to  plan  internal  audit  activities.  This 
recommendation  is  no  longer  valid  due  to  changed 
circumstances — see  below. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 

Risk  assessment  and  internal  audit — 
changed  circumstances 
Background 

In  our  October  2002  Report  (no.  9 — page  54), 
we  recommended  that  the  Ministry  improve 
accountability  for  audit  services  provided  by 
Alberta  Corporate  Services  Centre.  In  2002-2003, 
2003-2004  and  2004-2005,  we  followed  up  and 
concluded  that  the  Ministry  had  made  satisfactory 
progress. 

In  2003-2004,  we  restated  the  recommendation 
"that  the  Ministry  of  Children's  Services  complete 
its  risk  assessment,  and  use  this  risk  assessment 
to  plan  internal  audit  activities." 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  Department  of  Children  and 
Youth  Services,  and  ten  Child  and  Family  Services 
Authorities  for  the  years  ended  March  31 ,  201 0  and 
2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


Our  audit  findings 

The  Department  completed  and  documented  its 
enterprise  risk  assessment,  identified  mitigation 
strategies  and  appointed  risk  owners.  This 
assessment  evaluates  risks  at  a  Ministry  level.  The 
Department  no  longer  performs  its  own  internal 
audits.  Instead,  it  relies  on  the  Government  of 
Alberta's  Corporate  Internal  Audit  Services  (CIAS) 
for  this  function.  In  consultation  with  government 
departments  and  other  stakeholders,  CIAS 
performs  its  own  risk  assessments  to  develop  their 
annual  audit  plan. 

We  concluded  that  the  circumstances  giving  rise  to 
the  recommendation  have  changed. 
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For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry.  Department  and  the  following 
six  provincial  agencies  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified: 

Alberta  Foundation  for  the  Arts 

Historic  Resources  Fund 

Human  Rights  Education  and  Multiculturalism 

Fund 

The  Alberta  Historical  Resources  Foundation 
The  Government  House  Foundation 
The  Wild  Rose  Foundation 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


Entities  reporting  to  the  Minister 

Northland  School  Division  No.  61  should: 

ensure  that  it  obtains  a  legal  interest  in  land 
before  beginning  construction  of  schools — see 
below 

improve  its  financial  reporting  processes — see 
page  134 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Northland  School  Division  No.  61 

Acquiring  school  sites 
Background 

School  jurisdictions  often  obtain  land  for  school 
sites  without  purchasing  the  land.  Joint  use 
agreements  are  in  place  in  many  municipalities 
that  allow  school  jurisdictions  to  build  schools  on 
municipal  or  school  reserve  land. 

The  Metis  Settlements  Act  and  the  Metis 
Settlements  Land  Registry  Regulation  govern  the 
means  by  which  school  divisions  obtain  a  leasehold 
interest  in  land  within  a  Metis  Settlement.  The 
legislation  does  not  allow  the  Division  to  obtain  title 
to  land  within  a  Metis  Settlement.  However,  the 
regulation  allows  the  Division  to  obtain  a  leasehold 
interest  in  land  within  a  Settlement. 


Recommendation:  obtaining  an  interest  in 
land 


RECOMMENDATION  NO.  13 


We  recommend  that  Northland  School  Division 
No.  61  develop  processes  to  ensure  it  obtains 
a  valid  legal  interest  in  land  before  beginning 
construction  of  schools. 


Criteria:  the  standards  for  our  audit 

The  Division  should  obtain  title  or  leases  for 
long-term  access  to  school  sites  before  beginning 
construction. 


Our  audit  findings 


Key  Point 


Failure  to  secure  a  long-term  interest  in  school  sites 
increases  costs  and  risks 

The  Division  has  completed  construction  of  two 
schools,  in  the  East  Prairie  and  Peavine  Metis 
Settlements,  without  obtaining  long-term  leases 
to  govern  the  Division's  rights  to  access  the  sites 
to  operate  the  schools.  The  total  cost  to  construct 
these  schools  was  approximately  $19  million. 

In  the  Peavine  Metis  Settlement,  the  Settlement 
Council  had  not  obtained  a  Metis  title  to  the  school 
site  and  could  not  grant  a  leasehold  interest  to 
the  Division.  The  Division  completed  the  school 
for  September  2009,  but  had  not  obtained  either 
a  leasehold  interest  in  the  school  or  other  right 
of  access  to  operate  the  school  at  that  time.  The 
school  remained  vacant  from  September  2009  to 
April  2010.  The  Division  incurred  additional  costs 
to  continue  operating  in  the  old  school  and  to  heat 
and  provide  security  for  the  new  school. 

At  the  East  Prairie  Metis  Settlement,  the  Division 
had  not  completed  lease  negotiations  with  the 
Settlement  Council  prior  to  completing  construction 
of  the  school.  The  school  was  placed  into  service 
upon  completion,  but  the  Division  does  not  have 
the  security  that  a  long-term  lease  may  provide. 


Implications  and  risks  if  recommendation 
not  implemented 

The  Division  won't  have  control  of  schools  built  on 
land  to  which  it  has  not  obtained  long-term  access. 
The  Division  may  incur  higher  costs  if  it  negotiates 
land  leases  after  construction  is  complete. 
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Financial  reporting 
Background 

A  school  division's  management  is  responsible  for 
preparing  financial  statements  and  accompanying 
notes  and  schedules  in  accordance  with  Canadian 
generally  accepted  accounting  principles.  Regular 
preparation  and  review  of  interim  financial 
statements  supports  management's  accountability 
and  assists  school  trustees  in  their  governance 
role. 

For  the  year  ended  March  31 ,  2009,  Northland 
School  Division  No.  61  was  governed  by  a  Board 
of  Trustees  comprised  of  the  Chairs  of  23  local 
school  councils.  On  January  21,  2010,  the  Minister 
of  Education  dismissed  the  Board  of  Trustees  and 
appointed  an  Official  Trustee  for  the  Division. 


Recommendation:  improving  financial 
reporting 


RECOMMENDATION  NO.  14 


We  recommend  that  the  Northland  School 
Division  No.  61  improve  its  financial  reporting 

by: 

preparing  and  presenting  quarterly  financial 
information  to  the  Official  Trustee 
regularly  reviewing  and  reconciling  general 
ledger  accounts 

preparing  year-end  financial  statements 
promptly 


Criteria:  the  standards  for  our  audit 

Strong  financial  reporting  processes  should  be 
in  place  to  provide  reliable,  periodic  financial 
information  to  management  and  the  Official 
Trustee. 


Our  audit  findings 


Key  Point 


Financial  reporting  processes  need  improvement 

The  Division  experienced  significant  difficulties  in 
preparing  accurate  year-end  financial  statements. 
The  statements  needed  numerous,  large 
adjustments  after  year-end.  Management  did  not 
provide  the  Board  of  Trustees  with  quarterly 
financial  statements  or  forecasts  that  would  have 


aided  them  in  making  decisions  about  the  Division 
or  in  assessing  how  the  Division's  $58  million 
budget  was  managed. 

The  Division  was  unable  to  produce  accurate 
financial  statements  within  scheduled  year-end 
timelines.  Management  made  numerous  updates  to 
the  financial  statements  in  December  and  January, 
primarily  for  capital  asset  additions.  Significant  sub- 
ledgers  were  not  reconciled  to  the  general  ledger 
on  a  regular  basis. 

The  Division  completed  its  financial  statements 
in  January  2010,  we  issued  our  audit  report  in 
March  2010. 

The  Secretary  Treasurer  resigned  in  July  2009.  A 
new  Secretary  Treasurer  began  work  in  mid-August 
2009.  We  understand  that  a  transition  period  was 
required;  however,  that  transition  and  the  year-end 
reporting  would  have  been  more  effective  if  the 
Division  had  strong  financial  reporting  processes 
and  controls  in  place  throughout  the  year. 


Implications  and  risks  if  recommendation 
not  implemented 

Management  and  the  Board  of  Trustees  may  not 
have  reliable  financial  information  with  which  to 
make  decisions. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry,  Department  and  the  Alberta 
School  Foundation  Fund  for  the  year  ended 
March  31 ,  2010  were  unqualified. 

Our  auditor's  opinions  on  the  financial  statements 
of  Northland  School  Division  No.  61  were 
unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


Department 

The  Department  has  implemented  our 
recommendations  to  improve  the  use  of  exception 
reports  and  to  strengthen  its  compliance  audit  for 
the  income  support  program — see  below. 

The  Department  has  implemented  our 
recommendation  to  improve  its  IT  control 
environment — see  below. 

Workers'  Compensation  Board 

The  Workers'  Compensation  Board  should  ensure 
that  access  to  computer  systems  is  restricted  to 
appropriate  staff — see  page  136. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Ministry  and  Department 

Income  Support  Program — 

implemented 

Background 

In  our  October  2007  Report  (vol.  2 — page  55),  we 
recommended  that  the  Department  of  Employment, 
Immigration  and  Industry  improve  the  use  of 
exception  reports  to  manage  the  income  support 
program  by: 

identifying  available  exception  reports 
assessing  if  the  exception  reports  identify  key 
program  risks 

identifying  the  review  and  follow-up 
requirements 

In  our  October  2007  Report  (vol.  2 — page  56),  we 
also  recommended  that  the  Department  strengthen 
its  compliance  audit  of  the  income  support  program 
by  ensuring  that  its  regional  office  staff  review  and 
act  on  key  exception  reports. 


Our  audit  findings 


Key  Point 


The  Department  uses  key  exception  reports  and 
has  provided  guidelines  to  worksites 

The  Department  has  implemented  these  two 
recommendations.  The  Department  identified  key 
exception  reports  and  provided  them  to  all  the 
regions  in  June  2008.  During  their  income  support 
audits,  the  Department's  internal  auditors  followed 
up  to  ensure  worksite  staff  were  using  exception 
reports  to  manage  the  income  support  program. 
The  Department  has  provided  guidelines  to  the 
worksites  for  the  review  of  reports,  filing  and 
retention.  The  follow-up  process  is  incorporated  in 
the  internal  audit  program  and  plan. 

IT  Control  Environment — implemented 
Background 

In  our  October  2007  Report  (no.  23,  vol.  2— 
page  60),  we  recommended  that  the  Department  of 
Employment,  Immigration  and  Industry: 
develop  service  level  agreements  with 
information  technology  service  providers  that 
clearly  define  expected  services 
establish  processes  to  obtain  assurance  that 
these  service  providers  consistently  meet 
service  level  requirements  and  that  control 
activities  performed  by  the  providers  are 
operating  effectively 


Our  audit  findings 


Key  Point 


Service  providers  are  required  to  provide  terms  and 
conditions  on  service  levels 

The  Department  has  implemented  this 
recommendation.  The  Department  has  outsourced 
IT  services  in  two  main  areas:  application 
maintenance  support  and  IT  infrastructure  support. 
This  year,  it  issued  a  request  for  proposals  for 
vendors  to  bid  on  application  maintenance  services 
We  reviewed  the  request  for  proposals  and 
confirmed  that  the  Department  included  terms  and 
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conditions  on  service  levels  and  requirements  for 
independent  audits  of  the  vendor. 

Workers'  Compensation  Board 

Computer  systems  access 
Background 

The  Workers'  Compensation  Board  makes 
extensive  use  of  computer  systems  for  most 
aspects  of  its  operations.  Staff  are  provided  access 
privileges  to  computer  systems  based  on  their  role 
and  position  within  the  organization. 


Recommendation:  computer  access 


RECOMMENDATION 


We  recommend  that  the  Workers' 
Compensation  Board  ensure  that  access  to 
computer  systems  is  restricted  to  appropriate 
staff. 

Criteria:  the  standards  for  our  audit 

Computer  access  should  be  removed  promptly  for 
users  that  no  longer  require  it.  A  regular  review  of 
user  access  roles  should  be  performed  to  ensure 
they  continue  to  be  appropriate. 


Our  audit  findings 


Key  Point 


Computer  access  privileges  to  a  key  financial 
system  were  not  terminated 

We  identified  one  individual  with  Administrator 
privileges  to  the  purchasing  module  of  WCB's 
Integrated  Financial  Management  System  (IFMS), 
who  no  longer  required  this  access.  He  continued 
to  have  these  privileges,  even  though  he  had 
transferred  to  another  department  within  WCB  in 
2005.  The  continuation  of  access  privileges  was 
approved,  on  a  temporary  basis,  but  was  not 
terminated  after  the  access  was  no  longer  required. 

The  Workers'  Compensation  Board  does  not  carry 
out  regular  reviews  of  user  access  to  its  IFMS 
system  to  ensure  that  the  access  continues  to  be 
appropriate.  It  does  carry  out  regular  reviews  to 
identify  any  terminated  staff  who  may  continue  to 
have  access  to  the  system,  but  this  review  does  not 


include  employees  who  have  transferred  to  other 
positions  within  the  Workers'  Compensation  Board. 

While  our  review  was  limited  to  IFMS,  similar  risks 
may  exist  for  other  Workers'  Compensation  Board 
systems.  The  Workers'  Compensation  Board 
should  review  its  processes  to  manage  access 
for  other  systems  to  consider  whether  staff  may 
continue  to  have  access  after  they  are  transferred 
or  terminated. 


Implications  and  risks  if  recommendation 
not  implemented 

Unauthorized  or  inappropriate  transactions  may  be 
processed,  increasing  the  risk  of  fraud  or  error. 

Matters  from  prior-year  audits 

Claims  audit — implemented 
Background 

In  our  October  2009  Report  (page  1 91 ),  we 
recommended  that  the  Workers'  Compensation 
Board  assess  whether  it  is  conducting  an  adequate 
number  of  claims  audits  each  year. 


Our  audit  findings 

The  Workers'  Compensation  Board  implemented 
the  recommendation  by  refocusing  its  efforts  on 
fewer  compliance  elements,  and  increasing  the 
number  of  audits.  The  Workers'  Compensation 
Board  has  also  clarified  its  risk  exposures  for 
segments  of  the  employer  population.  The 
Workers'  Compensation  Board  uses  a  risk  focused 
approach  for  selecting  employers  for  audit,  based 
on  indications  of  non-compliance  in  the  Workers' 
Compensation  Board  employer  and  claims  data. 

The  Workers'  Compensation  Board  has  also 
defined  how  alternative  measures,  such  as  an 
employer  self-evaluation  checklist  are  used  to 
manage  the  lower  risk  employers.  The  Workers' 
Compensation  Board  monitors  the  performance  of 
employers  on  accident  reporting  and  other  criteria 
subsequent  to  the  self-evaluation  to  target  for 
further  follow-up. 
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merit  Audits  and  Other  Ass 


Employment  and  Immigration 


Our  auditor's  opinions  on  the  Ministry  and 
Department's  financial  statements  for  the  years 
ending  March  31.  2010  and  2009,  were  unqualified. 

We  issued  unqualified  audit  opinions  for  the  years 
ending  March  31 ,  201 0  and  2009,  for  the  Labour 
Market  Development  Claim. 

We  issued  an  unqualified  audit  opinion  for  the 
March  31,  2009  Employability  Assistance  for 
People  with  Disabilities  Claim. 

We  issued  unqualified  opinions  on  the  financial 
statements  of  the  Workers'  Compensation  Board 
for  the  years  ended  December  31 ,  2009  and 
2008.  We  also  issued  an  unqualified  audit  opinion 
on  the  schedule  of  administrative  charges  of  the 
Workers'  Compensation  Board  for  the  year  ended 
December  31,  2009. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's  2009-2010 
Annual  Report.  We  issued  an  unqualified  review 
engagement  report  on  these  measures. 

We  found  no  exceptions  when  we  completed 
specified  auditing  procedures  on  WCB's 
performance  measures  in  its  accountability 
framework. 
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Summary  of  our  recommendations 


The  Department  of  Energy  has: 

implemented  our  recommendation  to  improve 
the  monitoring  of  the  implementation  of  the 
bitumen  valuation  methodology — see  below 
implemented  our  recommendation  to  monitor 
the  impact  of  changes  in  the  effective  royalty 
rate — see  page  140 
implemented  our  recommendation  to 
strengthen  controls  to  detect  and  prevent  errors 
in  reporting  royalty-liable  fuel-gas  volumes — 
see  page  140 

made  satisfactory  progress  implementing  our 
recommendation  to  improve  processes  to 
prepare  financial  information — see  page  140 
made  satisfactory  progress  implementing 
our  recommendation  to  improve  controls 
and  documentation  for  the  revenue  forecast 
system — see  page  141 

The  Energy  Resources  Conservation  Board  has 
implemented  our  recommendation  to  improve  SAP 
security  controls — see  page  142 

See  our  outstanding  recommendations  list  on 
page  203  for  outstanding  recommendations 
previously  made  to  the  organizations  that  form  the 
Ministry. 


Findings  and  recommendations 


Department  of  Energy 

Bitumen  valuation  methodology — 

implemented 

Background 

In  our  October  2009  Report  (no.  20— page  195), 
we  recommended  that  the  Department  improve  its 
monitoring  of  the  implementation  of  the  bitumen 
valuation  methodology. 

As  part  of  the  New  Royalty  Framework 
implemented  January  1,  2009,  the  Bitumen 
Valuation  Methodology  Regulation  (Regulation) 


was  enacted.  The  Regulation  established  a  method 
to  determine  a  unit  price  for  bitumen  for  producers 
who  upgrade  bitumen  instead  of  selling  it  to  a  third 
party.  The  unit  price  is  used  to  calculate  royalties 
due  to  the  province. 

The  Suncor  and  Syncrude  oil  sands  mine  projects 
are  assessed  royalties  under  Royalty  Amending 
Agreements  (RAAs).  Each  of  these  RAAs 
contemplated  the  implementation  of  a  bitumen 
valuation  methodology  and  each  contained  clauses 
modifying  the  application  of  the  bitumen  valuation 
methodology  to  the  respective  Crown  agreement 
projects.  The  RAAs  indicate  that  the  bitumen 
valuation  methodology  applicable  to  the  projects 
will  include  "reasonable  adjustments"  to  reflect 
quality  differences  between  their  project  bitumen 
and  the  reference  price  used  in  the  Regulation,  and 
also  to  reflect  transportation  costs  to  the  reference 
price  location.  During  2009.  Suncor  and  Syncrude 
filed  non-compliance  notices  with  the  Department 
indicating  that  the  Regulation  does  not  establish  the 
reasonable  quality  and  transportation  adjustments 
required  by  their  respective  RAAs.  Both  companies 
paid  royalties  based  on  a  unit  price  that  was  lower 
than  the  price  determined  by  the  Regulation. 

The  Department's  2009-2010  revenue  includes 
an  estimate  of  the  royalties  that  the  Department 
expects  to  recover  from  the  Suncor  and  Syncrude 
projects.  This  amount  may  be  adjusted  following 
the  resolution  of  the  issue. 


Our  audit  findings 

The  Department  has  implemented  processes  to 
monitor  the  producers'  application  of  the  bitumen 
valuation  methodology. 

The  Department  is  in  the  process  of  discussing  this 
issue  with  Suncor  and  Syncrude.  The  Department 
has  also  implemented  a  process  to  ensure  that 
other  oil  sands  projects  that  are  subject  to  the 
Regulation  use  the  appropriate  unit  price  to 
determine  their  royalties. 
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Corporate  effective  royalty  rate — 

implemented 

Background 

In  our  October  2009  Report  (no.  22— page  200), 
we  recommended  that  the  Department  monitor 
the  impact  of  the  change  to  the  provincial  average 
corporate  effective  royalty  rate  on  the  Department's 
accounts  receivable  and  incentive  programs. 


Our  audit  findings 

Department  staff  now  complete  an  analysis  within 
the  forecast  model  of  natural  gas  and  by-product 
royalty  revenue  that  estimates  the  impact  of  the 
annual  cost  adjustment  resulting  from  fluctuations 
in  the  facility  effective  royalty  rate.  Beginning 
January  1,  2009,  the  Department  uses  a  facility 
effective  royalty  rate  instead  of  the  corporate 
effective  royalty  rate  in  the  calculation  of  allowable 
costs.  Staff  track  the  facility  effective  royalty  rate 
each  month  to  assist  in  determining  the  potential 
impact  when  companies  file  calendar  year  actual 
costs  the  following  June.  If  staff  expect  a  significant 
difference,  they  communicate  this  information  to 
decision  makers  within  the  Department  along  with 
the  quarterly  results. 

Strengthen  controls  to  prevent  and 
detect  errors  in  reporting  royalty-liable 
fuel-gas  volumes — implemented 
Background 

In  our  October  2008  Report  (no.  26— page  257), 
we  recommended  that  the  Department: 
strengthen  controls  to  prevent  fuel-gas 
volumes  from  being  incorrectly  reported  in  the 
Petroleum  Registry  of  Alberta  and  to  detect 
incorrect  reporting 

improve  its  detection  and  monitoring  processes 
over  fuel-gas  volume  amendments 


Our  audit  findings 

The  Petroleum  Registry  of  Alberta  now  requires  the 
seller  of  fuel-gas  volumes  (the  party  responsible  for 
paying  royalties)  to  code  the  volumes.  In  the  past, 


the  purchasing  facility  was  responsible  for  coding 
the  volumes. 

To  ensure  that  fuel-gas  volumes  are  being  reported 
accurately  and  completely  going  forward,  the 
Department  developed  a  report  that  contains  past 
trends  on  fuel-gas  sales.  It  uses  this  report  to 
identify  any  variances  or  anomalies  that  require 
further  investigation. 

The  Department  also  regularly  communicates  with 
industry  to  ensure  incorrectly  recorded  volumes 
are  amended  and  that  industry  is  aware  of  the 
appropriate  method  of  reporting  the  volumes. 

The  Department  completed  a  comprehensive 
review  of  dispositions  potentially  impacted 
by  fuel-gas  reporting.  Also,  after  each  natural 
gas  royalty  monthly  invoice  is  processed,  the 
Department  produces  a  report  that  identifies 
all  amendments  processed  relating  to  fuel-gas 
volumes.  This  enables  the  Department  to  verify  that 
amendments  are  being  made. 

Improving  processes  to  prepare 
financial  information— satisfactory 
progress 
Background 

On  page  1 97  of  our  October  2009  Report,  we 
recommended  that  the  Department  improve: 

quality  control  processes  for  the  preparation  of 
working  papers  and  financial  statements 
internal  communication  processes  between  the 
Finance  branch  and  program  staff 


Criteria:  the  standards  for  our  audit 

The  Department  should  have  processes  to  ensure 
complete,  accurate  and  timely  information  is 
available. 

Controls  over  financial  reporting  processes  should 
be  implemented  to  reduce  the  risk  of  material 
misstatements  in  the  Department's  accounting 
records. 
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Our  audit  findings 


Key  Points 


•  Financial  reporting  processes  operate  effectively 
for  transactions  that  occur  regularly 

•  Processes  for  recording  new  types  of  transactions 
need  to  improve 

Quality  control  processes  over  working 
papers  and  financial  statements 

The  Department  provided  Ministry  and  Department 
financial  statements,  with  supporting  working 
papers,  within  the  year-end  deadlines  established 
by  the  Department  of  Treasury  Board.  The 
Department  also  has  a  more  defined  process  for 
the  preparation,  review  and  timing  for  regularly 
prepared  working  papers. 

Sharing  of  information 
The  Department  has  made  improvements  in 
establishing  responsibilities  and  accountability 
for  information  being  provided  by  the  royalty 
operations  and  other  supporting  areas  to  the 
financial  statement  preparers.  For  regularly 
occurring  reporting  and  estimates,  the  processes 
have  operated  effectively.  However,  we  noted 
two  instances  where  significant  transactions  and 
estimates  were  not  adequately  or  accurately 
communicated  to  the  financial  statement  preparers. 
Our  audit  identified  and  management  corrected: 
an  overstatement  of  revenue  of  $253  million — 
The  error  was  not  detected  by  the  financial 
statement  preparers  because  program  staff 
provided  only  the  results  of  a  calculation  for 
a  new  accrual  and  not  the  support  for  the 
calculation. 

an  understatement  of  revenue  of  $18  million 
because  program  areas  did  not  advise  the 
financial  statement  preparers  that  additional 
royalties  should  have  been  accrued 

To  fully  implement  this  recommendation,  program 
staff  need  to  provide  financial  statement  preparers 
with  information  supporting  calculations  so  they 
can  do  a  proper  review  and  advise  preparers  of 
changes  to  royalty  calculations  that  need  to  be 
taken  into  account  when  making  new  accruals. 


Improving  controls  over  the  revenue 
forecast  system— satisfactory  progress 
Background 

In  our  October  2009  Report  (no.  21— page  199), 
we  recommended  that  the  Department  improve  the 
controls  and  documentation  supporting  the  revenue 
forecast  model  to  help  ensure  continued  accuracy 
of  the  forecast  system. 


Criteria:  the  standards  for  our  audit 

The  extent  of  documentation  and  control  over 
end-user  applications,  should  be  commensurate 
with  the  complexity  and  impact  on  the  financial 
statements. 


Our  audit  findings 


Key  Points 


•  Department  improved  controls  over  the  revenue 
forecasting  model 

•  Department  improved  some  of  the  documentation 

•  Some  areas  still  need  better  documentation 

Controls  over  forecast  model 

The  Department  has  implemented  the  Sharepoint 
application  to  improve  the  controls  to  track  changes 
and  versions  of  the  model,  and  to  limit  the  risk  of 
inaccurate  and/or  unauthorized  data  input. 

Documentation  of  forecast  model 
The  Department  has  enhanced  the  forecast  model 
documentation  to  include  additional  detail  regarding 
the  assumptions  made,  the  logic  and  reasoning 
supporting  the  assumptions,  and  some  of  the 
changes  made  to  the  underlying  revenue  stream 
being  forecasted.  However: 

the  methodology  for  the  drilling  royalty  credit 
used  to  estimate  the  amount  in  the  financial 
statements  was  not  adequately,  or  accurately, 
described  in  the  forecast  model  documentation 
the  section  in  the  document  that  describes  new 
programs  is  incomplete 

The  most  recent  draft  of  the  forecast  model 
documentation  is  dated  December  2009.  Thus, 
significant  changes  to  estimate  methodology  and 
assumptions  made  subsequently  have  not  been 
reflected. 
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To  fully  implement  this  recommendation,  the 
Department  needs  to  update  the  section  describing 
new  programs  and  the  documentation  of  the 
methodology  for  calculating  the  drilling  royalty 
credit. 

Energy  Resources  Conservation 
Board 

Assessing  and  improving  SAP  security 

controls — implemented 

Background 

Last  year,  the  Energy  Resources  Conservation 
Board  upgraded  SAP,1  the  primary  system  it  uses 
to  record  financial  and  business  information. 
In  our  October  2009  Report  (page  202),  we 
recommended  that  the  ERCB  assess  the  adequacy 
of  its  SAP  business  application  access  and 
security  controls  and  configurations  to  ensure  its 
information  is  properly  protected. 


Our  audit  findings 

The  ERCB  implemented  the  recommendation  by 
engaging  external  consultants  to  independently 
reassess  the  security  controls  within  its  SAP 
applications  and  make  the  necessary  changes  to 
its  security  controls  in  November  2009. 

We  reviewed  the  work  completed  by  ERCB  and 
its  consultant  and  confirmed  that  the  weaknesses 
we  previously  identified  were  remediated.  We 
concluded  that  ERCB  had  adequately  assessed 
and  improved  the  user  access,  separation  of  duties 
and  security  controls  in  its  SAP  system. 


Financial  statements 


effective  April  1,  2009.  We  indicated  the  accounting 
treatment  to  record  the  cost  of  these  programs  as 
a  reduction  to  revenue  or  as  an  expense  would 
need  to  be  assessed  based  upon  the  underlying 
economic  substance  of  the  transactions. 

The  Department  reviewed  the  accounting  and 
concluded  that  it  is  appropriate  to  recognize  the 
cost  of  both  programs  as  a  reduction  to  royalty 
revenue  as  opposed  to  recognizing  the  amounts  as 
an  expense.  The  Department  disclosed  these  two 
programs  as  a  reduction  to  revenue  line  item  on 
Schedule  1  in  the  Ministry  and  Department  financial 
statements.  We  also  completed  an  analysis  and 
agreed  with  this  financial  statement  presentation. 

Our  auditor's  opinions  on  the  financial  statements 
for  the  Alberta  Petroleum  Marketing  Commission 
for  the  years  ended  December  31 ,  2009  and  2008, 
were  unqualified. 

Our  auditor's  opinions  on  the  financial  statements 
for  the  Alberta  Utilities  Commission  and  the  Energy 
Resources  Conservation  Board  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


Our  auditor's  opinions  on  the  financial  statements 
for  the  Ministry  and  the  Department  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 

In  our  October  2009  Report  (page  204)  we 
highlighted  the  financial  significance  of  the 
Department's  Drilling  Royalty  Credit  and  New  Well 
Royalty  Rate  programs  that  were  implemented 


1      SAP  is  a  company  that  provides  business  software 
products  and  services. 
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Summary  of  our  recommendations 


The  Department  should: 

improve  its  grant  monitoring  process — see 
below 

clarify  which  regulatory  expenses  the  Climate 
Change  and  Emissions  Management  Fund  can 
pay — see  page  144 

The  Department  has  implemented  our  2007-2008 
recommendation  on  governance  of  ad  hoc  grants — 
see  page  144. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Matters  from  the  current  audit 

Grant  monitoring  process 
Background 

The  Department  administers  a  number  of  grant 
programs  such  as  the  Alberta  waste  management 
assistance  program,  community  based  activities 
to  enhance  the  environment,  and  environmental 
collaboration  and  partnerships.  Total  grant 
expenditures  for  the  year  ended  March  31 ,  201 0, 
were  approximately  $60  million,  and  recipients 
were  individuals,  businesses,  not-for-profits  and 
other  government  ministries. 

Department  staff  communicate  with  grant  recipients 
to  track  the  progress  of  projects  and  ensure  they 
achieve  milestones  on  time  and  spend  funds 
for  intended  purposes.  In  most  cases,  grant 
agreements  require  recipients  to  submit  progress 
reports,  statements  of  interest  earned,  and  audited 
financial  statements  to  the  Department.  Regional 
staff  review  these  progress  and  financial  reports,  to 
ensure  they  are  delivered  on  time  and  that  incurred 
costs  are  eligible  under  the  grant  agreement. 


Recommendation:  improve  and  document 
grant  monitoring  activities 


RECOMMENDATION  NO.  15 


We  recommend  that  the  Department  of 
Environment  improve  its  monitoring  of 
compliance  with  conditions  in  grant  agreements 
and  retain  evidence  of  the  review. 


Criteria:  the  standards  for  our  audit 

The  Department  should  have  adequate  controls 
to  ensure  that  it  effectively  monitors  grant 
agreements.  Recipients  should  deliver  results  that 
meet  the  terms  of  the  grant  agreement,  within 
timelines  and  budget.  The  Department  should 
document  evidence  of  its  monitoring  processes. 


Our  audit  findings 


Key  Points 


•  Improve  monitoring  of  compliance  agreements 

•  Document  evidence  of  review 

We  tested  11  grant  agreements  (sampled  from 
each  grant  program)  and  noted  the  following: 
For  one  of  the  11  agreements  sampled, 
the  financial  statements  submitted  had  a 
qualified  audit  report  attached.  There  was  no 
evidence  of  evaluation  by  the  Department  to 
determine  whether  the  qualification  impacted 
the  recipients  compliance  with  the  terms  of  the 
grant  agreements. 

In  five  of  the  11  samples,  the  Department  did 
not  receive  financial  reports  within  the  timeline 
in  the  grant  agreement.  There  was  no  evidence 
of  communication  between  the  Department  and 
grant  recipient  requesting  the  reports. 

We  also  requested  documented  evidence  of  the 
Department's  review  for  compliance  with  the 
terms  of  the  grant  agreements  for  the  11  samples. 
Based  on  the  information  provided,  there  is  no 
documented  evidence  to  indicate  Department  staff 
reviewed  the  financial  reports. 
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Implications  and  risks  if  recommendation 
not  implemented 

Grant  recipients  may  not  comply  with  the  terms  of 
the  grant  agreement,  and  may  not  contribute  to 
achieving  the  Department's  business  plan  goals. 

Administrative  payments  made  from 
the  Climate  Change  and  Emissions 
Management  Fund 
Background 

The  Climate  Change  and  Emissions  Management 
Act,  Section  10(3),  indicates  that  the  Fund  may 
be  used  only  for  purposes  related  to  reducing 
emissions  of  specified  gases  or  improving  Alberta's 
ability  to  adapt  to  climate  change.  These  purposes 
include:  "paying  salaries,  fees,  expenses,  liabilities 
or  other  costs  incurred  by  a  delegated  authority  in 
carrying  out  a  duty  or  function  of  or  exercising  a 
power  of  the  Minister  in  respect  of  the  Fund  that 
has  been  delegated  to  the  delegated  authority,  if 
authorized  by  the  regulations." 

Section  10(4)  indicates  the  Minister  may  make 
payments  out  of  the  Fund: 

a)  for  the  purposes  of  the  Fund,  or 

b)  in  accordance  with  the  regulations,  to  a 
delegated  authority  to  enable  the  delegated 
authority  to  make  payments  for  the  purposes  of 
the  Fund 

Recommendation:  clarify  what  are  valid 
regulatory  expenses 


RECOMMENDATION 


We  recommend  that  the  Department  of 
Environment  clarify  the  kind  and  extent  of 
regulatory  expenses  that  can  be  paid  out  of  the 
Climate  Change  and  Emissions  Management 
Fund. 

Criteria:  the  standards  for  our  audit 

There  should  be  clear  authority  for  the  types  of 
regulatory  expenses  that  can  be  paid  out  of  the 
Fund. 


Our  audit  findings 


While  the  Act  authorizes  the  operational 
expenses  incurred  by  a  delegated  authority 
to  be  paid  out  of  the  Fund,  there  is  no  similar 
provision  specifically  authorizing  regulatory 
costs  of  the  Department1  to  be  paid  out  of  the 
Fund. 

The  Department  has  not  documented  the  kind 
and  extent  of  regulatory  expenses  that  can  be 
paid  out  of  the  Fund. 

In  2010,  management  paid  out  of  the  Fund 
$855,000  for  verification2  costs  and  $163,000 
to  establish  the  Climate  Change  and  Emissions 
Management  Corporation. 
The  other  regulatory  costs  incurred  to 
administer  the  Fund  were  paid  out  of  the 
Department's  budget. 

Implications  and  risks  if  recommendation 
not  implemented 

Management  may  pay  regulatory  expenses  out 
of  the  Fund  that  may  not  have  been  originally 
contemplated  by  legislation. 

Matters  from  prior-years  audits 

Governance  of  ad  hoc  grants — 
implemented 


Background 


In  March  2007,  the  federal  government  announced 
$155.9  million  EcoTrust  funding  for  Alberta. 
EcoTrust  is  to  support  provincial  projects  that 
will  result  in  real  reductions  in  greenhouse  gas 
emissions  and  air  pollutants.  The  funding  for  the 
province  was  made  available  through  a  third-party 
trust  deposited  with  Alberta  Finance.  The  funding 
was  transferred  to  the  Department  in  April  2007 
and  recorded  as  unearned  revenue.  The  funds 
continued  to  be  reported  as  unearned  revenue  as 


1  For  the  purposes  of  this  report,  regulatory  costs  of  the 
Department  means  the  operating  costs  incurred  for 
carrying  out  its  regulatory  role  under  the  Act. 

2  In  some  cases,  the  Department  hires  independent  third 
parties  to  verify  the  information  supplied  by  facilities  that 
the  Department  regulates  under  the  Specified  Gas  Emitter 
Regulation.  The  information  supplied  is  used  to  determine 
whether  facilities  are  required  to  make  payments  to  the 
Fund. 
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at  March  31,  2009.  The  Department  has  budgeted 
to  recognize  $51.9  million  EcoTrust  revenue  by 
March  31.  2010. 

In  our  October  2008  Report  (page  262),  we 
recommended  that  the  Department  improve 
its  governance  of  ad  hoc  grants  received  by 
implementing  processes  to  ensure  that  conditions 
attached  to  grants  received  will  be  complied  with. 
The  Department  could  not  provide  information 
about  the  intended  use  of  the  funds. 


Our  audit  findings 

The  Department  has  developed  a  plan  for  using 
the  EcoTrust  funds.  We  reviewed  this  plan  and 
concluded  it  provides  complete  information  about 
the  intended  use  of  the  funds  and  will  comply  with 
the  terms  of  the  grant  agreement. 


Financial  statements 


Our  auditor's  opinions  on  the  Ministry's  and 
Department's  financial  statements  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 

Our  auditor's  opinions  on  the  Climate  Change 
and  Emissions  Management  Fund's  financial 
statements  for  the  years  ended  March  31 ,  201 0 
and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Our  auditor's  opinions  on  the  Ministry's  financial 
statements  for  the  years  ended  March  31 ,  201 0 
and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's  2009-2010 
Annual  Report.  We  issued  an  unqualified  review 
engagement  report  on  these  measures. 
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Summary  of  our  recommendations 


Ministry  and  Department 

The  Department  of  Finance  and  Enterprise 
should  improve  its  year-end  financial  reporting 
processes — see  page  150. 

The  Department  has  implemented  our 

recommendations  that: 

its  Investment  and  Accounting  Reporting  Group 
improve  its  financial  reporting  processes  and 
succession  planning — see  page151 
it  assess  and  evaluate  the  risk  of  individuals 
exceeding  the  tax-exempt  tobacco  limit  of  the 
Alberta  Indian  Tax  Exemption  program — see 
page  151 

it  review  the  use  of  spreadsheets  in  the 
processing  of  insurance  corporations  tax — see 
page  152 

Alberta  Treasury  Branches  (ATB) 

On  pages  61  to  65.  we  report  on  the  improvements 
ATB  has  made  to  its  project  governance  and 
management  systems  related  to  its  new  banking 
system  implementation. 

ATB  expects  its  new  banking  system  to  be  in  place 
by  April  2011.  We  have  completed  a  progress 
report  on  page  1 52  on  ATB's  consideration  of  internal 
controls  within  the  new  banking  system. 

We  repeat  our  recommendations  that  ATB: 
promptly  update  the  derivative  credit  limits 
disclosed  in  the  Daily  Derivative  Exposure 
Report — see  page  1 53 

improve  controls  over  the  calculation  of  the  fair 
value  for  its  derivatives  and  securities — see 
page  153 

ATB  has  implemented  our  recommendations  that  it: 
have  systems  and  processes  in  place  to  ensure 
it  complies  with  the  Minister  of  Finance  and 
Enterprise's  Outsourcing  of  Business  Activities, 
Functions,  and  Processes  Guideline — see 
page  1 54 


improve  its  hiring  processes  to  ensure  criminal 
record  checks  are  completed  on  prospective 
employees — see  page  154 

Alberta  Investment  Management 
Corporation  (AIMCo) 

AIMCo  should: 

identify  financial  reporting  requirements  in  its 
investment  management  agreements  with 
clients,  and  meet  with  clients  to  understand 
their  financial  reporting  frameworks,  financial 
accounting  requirements  and  the  investment- 
related  information  they  need  to  prepare 
financial  statements — see  page  155 
implement  additional  control  procedures  so 
that  AIMCo  itself  can  ensure  the  completeness 
and  accuracy  of  its  investment  general  ledger. 
Currently,  the  Department  of  Finance  and 
Enterprise  performs  certain  control  procedures 
that  supplement  those  performed  by  AIMCo — 
see  page  157 

strengthen  its  IT  change  management 
controls — see  page  1 58 

AIMCo  has  implemented  our  recommendations  that 
it: 

establish  a  process  to  estimate  current 
fair  values  for  its  private  and  hedge  fund 
investments — see  page  159 
re-establish  an  Internal  Audit  Group — see 
page  160 

maintain,  file  and  be  able  to  retrieve  all  hard 
copy  records  supporting  completed  investment 
transactions — see  page  160 
improve  procedures  for  valuing  its  real  estate 
investments — see  page  160 
reconcile  its  investments  in  private  equity 
partnerships  to  audited  partnership  financial 
statements,  and  accrue  income  tax  refunds 
for  private  equity  investments  as  soon  as  the 
amounts  are  known — see  page  161 
review  its  ISDA  agreements  regularly  and 
document  any  changes  to  the  standard  ISDA 
form — see  page  161 
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For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Department  of  Finance  and 
Enterprise 

Financial  reporting  processes 
Background 

The  Department  of  Finance  and  Enterprise  has 
among  the  most  complex  and  difficult  financial 
reporting  tasks  within  government.  The  Department 
prepares  and/or  consolidates  the  financial 
statements  of  many  entities,  including  the  Ministry, 
Department  and  endowment  funds,  such  as  the 
Alberta  Heritage  Savings  Trust  Fund.  Many  of 
the  amounts  and  disclosures  in  the  Ministry's 
consolidated  financial  statements  are  significant  to, 
and  appear  in,  the  Province's  consolidated  financial 
statements,  including  tax  revenues,  investments, 
pensions  and  debt. 

In  addition  to  preparing  financial  statements,  the 
Department  prepares  other  year-end  financial 
reporting  disclosures,  such  as  management's 
results  analysis,  performance  measures,  and 
disclosures  required  under  specific  legislation. 
It  also  prepares  working  papers  for  the  audits 
conducted  by  the  Office  of  the  Auditor  General, 
and  working  papers  for  the  Province's  Office  of 
the  Controller,  to  support  the  consolidation  of  the 
Ministry's  financial  statements  in  the  Province's 
consolidated  financial  statements. 

In  order  to  prepare  endowment  fund  financial 
statements,  and  to  account  for  its  own  investments, 
the  Department  performs  investment  accounting 
procedures.  These  include  preparing  monthly  bank 
reconciliations,  preparing  working  papers,  and 
checking  whether  fair  value,  cost,  contributions, 
redemptions  and  income  have  been  appropriately 
allocated  to  investment  clients. 

The  Province's  Office  of  the  Controller  sets 
year-end  timelines.  These  timelines  allow 
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coordinated  completion  of  the  financial  statements 
of  all  government  ministries,  which  form  the  basis 
of  the  Province's  consolidated  financial  statements. 
The  Department  must  operate  within  these 
timelines. 


Recommendation:  improve  financial 
reporting  processes  


RECOMMENDATION  NO.  16 


We  recommend  that  the  Department  of  Finance 
and  Enterprise  improve  its  year-end  financial 
reporting  processes. 

Criteria:  the  standards  for  our  audit 

The  Department's  financial  reporting  processes 
should  support  accurate  and  timely  preparation 
of  financial  statements  and  supporting  working 
papers. 


Our  audit  findings 


Key  Point 


Year-end  financial  reporting  processes  should  be 
improved 

The  Department  is  under  significant  time  and 
resource  pressure  to  meet  year-end  deadlines  set 
by  the  Province's  Office  of  the  Controller,  as  well 
as  to  provide  financial  statements  and  supporting 
working  papers  to  the  Office  of  the  Auditor  General. 
We  observed  the  following: 

Financial  statements  are  not  updated  on  a 
proforma  basis  before  year-end.  We  observed 
errors  in  prior  year  amounts  in  financial 
statements  presented  for  audit.  There  were 
also  substantial  changes  in  disclosures  and 
classifications  that  were  not  discussed  with  the 
Province's  Office  of  the  Controller  or  the  Office 
of  the  Auditor  General  before  year-end.  We 
suggest  that  the  Department  prepare  proforma 
endowment  fund,  department  and  ministry 
financial  statements  much  earlier  in  the  year, 
and  invite  comments  from  the  Province's  Office 
of  the  Controller  and  the  Office  of  the  Auditor 
General  on  these  proforma  statements. 
Coordination  of  disclosures  in  the  Ministry 
financial  statements  which  originate  in 
underlying  entities  could  be  improved.  For 
major  consolidated  entities  with  disclosures 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


inancial  Statement  Audits  and  Other  Assurance  Work 


Finance  and  Enterprise 


in  the  Ministry's  financial  statements,  the 
Department  receives  information  to  prepare  the 
Ministry  disclosures.  The  Department  requests 
other  information  as  needed.  The  Department 
could  request  more  detailed  working  paper 
packages  for  these  disclosures  and  have  entity 
management  review  draft  disclosures. 
Accounting  entries  associated  with  several 
major  accounts  and  disclosures  are  not 
prepared  until  year-end.  In  some  cases,  more 
information  is  available  at  year-end,  such  as 
personal  income  taxes;  in  other  cases,  these 
entries  are  done  as  part  of  year-end  processes. 
To  streamline  year-end.  the  Department  could 
consider  performing  a  "hard  close"  preparation 
of  the  financial  statements  at,  for  example. 
December  31,  including  major  estimates  that 
are  included  in  the  financial  statements.  This 
"hard  close"  set  of  financial  statements  could 
be  audited,  with  a  roll-forward  of  balances  to 
year-end. 

Quality  control  review  of  the  financial 
statements  could  be  improved.  Several 
versions  of  the  financial  statements  were 
presented  for  our  audit.  Even  later  versions  had 
missing  or  inconsistent  note  references.  While 
these  are  minor,  they  take  time  to  correct. 
Without  adequate  processes  to  identify  and 
approve  changes  in  subsequent  revisions, 
there  is  a  risk  that  new  errors  are  introduced 
when  minor  errors  are  corrected. 
Management  review  of  the  financial 
statements,  and  review  of  the  financial 
statements  by  the  Financial  Reporting  Advisory 
Committee,  occurs  later  in  the  year-end 
process.  Such  reviews  contribute  to  improving 
the  quality  of  the  financial  statements;  having 
the  reviews  occur  earlier,  before  the  financial 
statements  are  presented  for  audit,  could 
reduce  audit  queries  and  financial  statement 
revisions,  improving  efficiency. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  improvements  to  the  Department's 
year-end  financial  reporting  processes,  there  is 
an  increased  risk  of  error  in  both  the  Ministry's 
financial  statements  and  the  Province's 
consolidated  financial  statements. 


Matters  from  prior-year  audits 

Financial  reporting  processes  and 
succession  planning — implemented 
Background 

In  our  October  2008  Report  (no.  28— page  268),  we 
recommended  that  the  Department's  Investment 
Accounting  and  Reporting  Group  improve  the 
timeliness  of  its  financial  reporting  and  decrease 
workloads  by: 

recruiting  skilled  personnel  with  expertise  in 

investment  accounting 

allocating  sufficient  time  for  management 

review 

creating  a  management  succession  plan 

The  Group's  specialized  focus  on  investments 
makes  it  unique  within  the  Department.  The  Group 
is  responsible  for  preparing  financial  information 
used  in  the  preparation  of  financial  statements 
by  investment  clients  of  AIMCo,  which  has  total 
investments  under  management  of  $70  billion. 


Our  audit  findings 

The  Department  implemented  our  recommendation 
by  restructuring  its  Financial  Services  division  and 
obtaining  additional  resources,  so  that  priorities 
could  be  met  and  existing  resources  could  provide 
necessary  training  and  mentorship  to  new  and 
existing  staff.  The  Department  also  formalized  a 
succession  plan  for  the  Group,  which  identifies 
back-up  resources,  and  professional  development 
and  cross-training  activities. 

Alberta  Indian  Tax  Exemption  program 

limits — implemented 

Background 

In  our  October  2007  Report  (vol.  2— page  85),  we 
recommended  that  the  Department  of  Finance 
and  Enterprise  assess  and  evaluate  the  risk  of 
individuals  exceeding  the  tax-exempt  tobacco  limit 
of  the  Alberta  Indian  Tax  Exemption  program. 


Our  audit  findings 

The  Department  implemented  our  recommendation 
by  assessing  the  risk  of  overpayment  to  individuals 
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exceeding  the  tax-exempt  tobacco  program's  limit. 
Based  on  the  assessment,  the  risk  of  overpayment 
is  not  significant. 

Use  of  spreadsheets  in  processing 
taxes — implemented 
Background 

In  our  October  2008  Report  (page  273),  we 
recommended  that  the  Department  of  Finance 
and  Enterprise's  Tax  and  Revenue  Administration 
division  review  the  use  of  spreadsheets  in  the 
processing  of  insurance  corporations  tax.  The 
Department  should  assess  the  costs,  benefits  and 
risks  of  using  spreadsheets,  and  consider  whether 
using  existing  established  computer  systems  is 
more  appropriate. 


Our  audit  findings 

The  Department  implemented  our  recommendation 
by  reviewing  the  use  of  spreadsheets.  Insurance 
corporations  tax  is  now  processed  using 
established  computer  systems. 

Alberta  Treasury  Branches 

ATB  New  Banking  System  Internal 
Controls — progress  report 
Background 

In  our  October  2009  Report  (beginning  on 
page  219),  we  reported  on  Alberta  Treasury 
Branches'  insufficient  consideration  of  the  need  for 
well-designed  and  effective  internal  controls  in  the 
functional  design  phase  of  its  new  SAP  financial 
modules,  which  are  a  part  of  the  new  banking 
system  (Core  project).  As  a  result  of  our  2009  audit, 
we  recommended  that  ATB's  Strategic  Steering 
Committee  receive  the  appropriate  assurance 
from  the  Core  project's  leadership  team  that 
the  organization's  control  objectives  have  been 
satisfied  before  the  user  acceptance  testing  phase 
of  the  Core  project  is  complete.  When  we  made  our 
recommendation,  management  agreed  to  act  on 
our  recommendation  before  the  go  live  date. 
ATB's  internal  audit  group  did  a  similar  audit  on 
the  consideration  of  internal  controls  within  the 
functional  design  process  for  the  SAP  banking 
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modules.  This  work  resulted  in  ATB's  internal 
audit  group  recommending  in  July  2009  that 
management  initiate  the  development  of  a  formal 
plan,  in  consultation  with  key  stakeholders,  to 
ensure  internal  controls  are  given  adequate 
consideration  as  part  of  the  Core  project. 

ATB  management  expects  the  Core  project 
to  go  live  in  April  201 1 ,  which  does  not  leave 
the  newly  created  internal  control  project  team 
much  time  to  complete  its  work.  In  our  opinion, 
ATB's  internal  control  project  must  achieve  its 
goals  and  objectives  prior  to  the  Core  project's 
implementation  date  to  ensure  ATB  will  be  able  to 
continue  to  meet  its  business  objectives  and  serve 
its  customers. 


Key  Point 


ATB's  internal  control  project  team  must  meet  its 
goals  and  objectives  priorto  implementation  of  the 
new  banking  system. 

On  pages  61  to  65,  we  report  on  improvements  ATB 
has  made  to  the  Core  project's  governance  and 
management. 

Management  actions 
Subsequent  to  our  recommendation  and  the 
internal  audit  group's  recommendation,  ATB  hired 
a  professional  services  firm  to  assess  how  internal 
controls  should  be  considered  in  the  Core  project. 
The  professional  services  firm  completed  its  work 
and  provided  a  report  to  ATB  in  March  2010. 

ATB  created  an  internal  controls  project  team 
to  ensure  there  are  sufficient  internal  controls  in 
place  when  the  Core  project  is  implemented.  The 
internal  control  project  charter  was  presented  to 
the  Strategic  Steering  Committee  in  April  2010 
and  approved  by  ATB's  Vice  President  of  Central 
Services  in  June  2010. 

The  internal  control  project  team's  goals  and 

objectives  are  to:1 

develop  an  internal  controls  strategy  and  plan 
specific  to  the  Core  project  to  enable  ATB  to 
meet  a  level  of  controls  at  implementation  that 
is  at  least  on  par  with  the  current  pre-Core  level 
of  controls 

1      ATB  project  charter,  Internal  Controls  Initiative 
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establish  the  minimum  level  of  controls  to  use 
as  the  project  benchmark  for  implementation 
of  controls  relative  to  the  Core  program 
implementation 

assess,  design,  build  and  test  internal  controls 
to  meet  the  minimum  level  of  desired  controls 
develop  a  road  map  for  future  implementation 
of  controls  to  meet  a  desired  state  of  controls 
for  the  Core  applications 

The  internal  controls  project  team  has  an  executive 
project  sponsor  and  dedicated  resources.  Training 
was  provided  to  project  team  members  on  internal 
controls.  The  project  team  has  created  detailed 
project  plans  to  identify  risks  and  implement 
internal  controls  into  the  SAP  system  before  the 
implementation  date.  The  project  team  has  also 
defined  plans  to  report,  on  a  weekly  and  monthly 
basis,  progress  to  the  executive  project  sponsor.  An 
internal  controls  risk  and  control  matrix  was  created 
for  the  project  team  to  use  as  it  does  its  work. 

The  internal  controls  project  team  is  currently 
assessing  approximately  490  business  processes. 
As  of  July  2010,  the  project  team  has  identified 
158  business  processes  that  are  in  scope  for  the 
internal  controls  project  to  assess  for  risks  and  risk 
mitigation.  The  project  team  has  also  identified 
approximately  60  information  technology  controls 
that  need  to  be  in  place  for  internal  controls  to  be 
reliable  when  the  Core  project  is  implemented. 

Client  derivative  credit  limits — 
recommendation  repeated 
Background 

In  our  October  2008  Report  (page  276),  we 
recommended  that  ATB  promptly  update  the 
derivative  credit  limits  disclosed  in  the  Daily 
Derivative  Credit  Exposure  Report.2  We  noted 
discrepancies  between  the  monitoring  report  and 
the  amounts  authorized  in  client's  approval  credit 
application. 


2      A  report  used  by  ATB  to  monitor  whether  a  client's 

derivative  credit  exposure  exceeds  the  client's  approved 
derivative  credit  limit. 


Recommendation:  improve  credit 
monitoring 


RECOMMENDATION—REPEATED 


We  again  recommend  that  Alberta  Treasury 
Branches  promptly  update  the  derivative  credit 
limits  disclosed  in  the  Daily  Derivative  Credit 
Exposure  Report. 

Our  audit  findings 

We  examined  the  process  for  updating  the  Daily 
Derivative  Credit  Exposure  Report  and  concluded 
that  no  significant  changes  to  the  process  had 
occurred  since  our  original  recommendation.  We 
tested  the  process  and  still  identified  differences 
between  the  customer  credit  limits  on  the  credit 
application  and  those  on  the  monitoring  report. 

To  implement  this  recommendation,  ATB  must 
create  a  process  that  promptly  updates  customer 
credit  limits  on  the  Daily  Derivative  Credit  Exposure 
Report  when  customer  credit  limits  change. 


Implications  and  risks  if  recommendation 
not  implemented 

The  monitoring  of  ATB's  client  derivative  credit 
risk  exposure  will  be  ineffective  if  inaccurate  credit 
limits  are  reported  within  the  Daily  Derivative  Credit 
Exposure  Report. 

Internal  controls  over  fair  value 
calculations  of  securities  and 
derivatives — recommendation  repeated 
Background 

In  our  October  2008  Report  (page  274),  we 
recommended  that  ATB  improve  controls  over  the 
calculations  of  fair  value  for  its  derivatives  and 
securities.  We  noted  that  manual  data  inputs  used 
in  the  computation  of  fair  values3  were  not  reviewed 
for  accuracy  or  approved. 


3     Fair  value  is  the  amount  of  consideration  that  would  be 
agreed  upon  in  an  arm's  length  transaction  between 
knowledgeable,  willing  partners  who  are  under  no 
compulsion  to  act. 
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Recommendation:  improve  internal 
controls  over  fair  value  calculations 


RECOMMENDATION— REPEATED 


We  again  recommend  that  Alberta  Treasury 
Branches  improve  controls  over  the  calculation 
of  the  fair  value  for  its  derivatives  and 
securities  by: 

implementing  a  peer  review  and  approval 
process  for  inputs  and  assumptions  used 
in  the  valuation  models.  Alternatively, 
for  derivatives,  management  could  use 
a  benchmarking  process  to  assess 
reasonability  of  its  calculated  fair  values 
documenting  the  results  of  this  work 
consistently 


Our  audit  findings 


We  have  repeated  this  recommendation  because 
ATB  has  not  yet  implemented  effective  controls 
over  the  calculation  of  the  fair  value  for  its 
securities  and  derivatives. 

Implications  and  risks  if  recommendation 
not  implemented 

Income  and  assets  within  the  financial  statements 
could  be  misstated  if  there  are  not  adequate 
controls  over  the  fair  value  calculation  of  derivatives 
and  securities. 

Process  for  confirming  compliance 
with  Alberta  Finance  and  Enterprise 
guidelines — implemented 

Background 

In  our  October  2007  Report  (no.  26,  vol.  2— 
page  94),  we  recommended  that  ATB  should 
have  systems  and  processes  in  place  to  ensure 
it  complies  with  the  Outsourcing  of  Business 
Activities,  Functions,  and  Processes  Guideline 
issued  by  the  Alberta  Minister  of  Finance  and 
Enterprise.  We  repeated  the  recommendation  in 
our  October  2009  Report  (no.  25— page  226). 

Our  audit  findings 

ATB  implemented  our  recommendation  by 
improving  its  materiality  assessment  process. 
We  concluded  that  the  new  process  corrects  the 
override  in  the  previous  process  that  allowed 


a  material  outsourcing  arrangement  to  be 
misclassified  in  2009. 

Criminal  record  checks — implemented 
Background 

In  our  October  2008  Report  (no.  30— page  279), 
we  recommended  that  ATB  improve  its  hiring 
processes  to  ensure  criminal  record  checks  are 
completed  on  prospective  employees  prior  to 
hiring  these  employees.  ATB's  responsibilities 
to  its  customers  include  the  duty  to  ensure  that 
confidential  customer  information  is  adequately 
safeguarded.  Only  employees  who  have  met 
ATB's  hiring  standards  should  have  access  to  this 
confidential  information. 

Our  audit  findings 

ATB  implemented  our  recommendation  by 
contracting  with  a  third  party  service  provider  to 
have  criminal  record  checks  completed  within 
two  business  days.  ATB  also  will  not  grant  new 
employees  an  employee  number  from  the  payroll 
system  until  all  required  documentation  is  received, 
including  criminal  record  checks.  In  2010,  we  tested 
20  samples  that  followed  this  new  process  and 
found  no  instances  where  employees  were  hired 
without  a  criminal  record  check  being  completed. 

Alberta  Investment  Management 
Corporation  (AIMCo) 

Overview  of  the  audit 

On  January  1,  2008,  the  Department  of  Finance 
and  Enterprise  transferred  its  investment 
management  operations  to  the  newly  formed 
Alberta  Investment  Management  Corporation 
(AIMCo),  a  Crown  corporation  within  the  Ministry  of 
Finance  and  Enterprise. 

AIMCo  manages  approximately  $71  billion  of 
investments  owned  by  Alberta  endowments  funds 
such  as  the  Alberta  Heritage  Savings  Trust  Fund, 
public  sector  pension  plans  such  as  the  Local 
Authorities  Pension  Plan,  government  funds 
such  as  the  Alberta  Sustainability  Fund  and  other 
government  entities.  Below  is  a  summarized 
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"assets  under  management"  table  from  the  Alberta 
Investment  Management  Corporation  Annual 
Report  2009/10: 


Investment  Clients 

Market 
Value 

Endowment  Funds 

$17.3  billion 

Pension  Plans 

$27.7  billion 

Short-term  Government  of  Alberta  Funds 

$23.0  billion 

Special  Purpose  Government  Funds 

$2.7  billion 

Total 

$70.7  billion 

Table  1 :   AIMCo's  assets  under  management 

Since  its  creation,  AIMCo  has  focused  on 
organizing  and  building  upon  the  investment 
management  operations  it  inherited  from  the 
Department.  Our  current  audit  recommendations 
relate  to  AIMCo's  need  to  also  develop  processes 
for  and  controls  over  the  financial  information  it 
provides  clients. 

When  investment  operations  were  in  the 
Department,  investment  management  staff  worked 
closely  with  investment  accounting  staff  who 
prepared  financial  statements  or  financial  statement 
information  for  the  Department's  investment  clients. 
The  investment  accounting  staff  were  familiar 
with  the  Department's  investment  management 
operations.  They  attended  investment  management 
meetings  and  were  involved  with  establishing 
accounting  policies  and  procedures.  They  also 
identified  and  corrected  accounting  errors. 

The  Department  continues  to  be  responsible 
for  preparing  financial  statements  or  financial 
statement  information  for  pension  plans, 
endowment  funds  and  other  investment  clients. 
Therefore,  the  Department's  investment  accounting 
staff  must  be  sure  that  the  underlying  investment 
information  is  complete  and  accurate.  Although 
AIMCo  has  taken  over  the  investment  management 
operations,  the  Department's  investment 
accounting  staff  continue  to  prepare  financial 
statements  or  financial  statement  information 
for  investment  clients,  using  information  from 
AIMCo's  general  ledger  (Genvest)  and  portfolio 
management  system  (Pacer). 


Department  staff  also  perform  certain  control 
activities  such  as: 

reconciling  transactions  between  Pacer  and 

Genvest 

reviewing  the  allocation  of  investment  income 
to  clients 

performing  monthly  bank  reconciliations 

reviewing  asset  transfers 

correcting  and  reporting  errors  identified  to 

AIMCo 

AIMCo  needs  additional  accounting  expertise  to 
maintain  the  control  activities  that  Department  staff 
put  in  place  so  that  AIMCo  itself  can  ensure  the 
accuracy  of  its  investment  general  ledger. 

Our  new  recommendations  focus  on  improving 
AIMCo's  ability  to  provide  accurate  and  timely 
financial  information  used  in  the  preparation  of 
financial  statements  to  its  investment  clients, 
including  the  Department.  These  improvements 
include  identifying  its  clients'  financial  reporting 
needs  as  well  as  developing  better  controls  over 
the  investment  general  ledger  and  information 
technology  change  management  processes. 

Findings  and  recommendations 

Client  financial  reporting  requirements 
Background 

AIMCo's  clients  use  various  financial  reporting 

frameworks.  These  include: 

Canadian  generally  accepted  accounting 
principles  for  government  business  and 
government  business-type  enterprises 
Canadian  generally  accepted  accounting 
principles  for  pension  plans 
Canadian  accounting  standards  developed  by 
the  Public  Sector  Accounting  Board 

In  2011 ,  two  of  AIMCo's  clients  will  be  adopting 
International  Financial  Reporting  Standards. 

These  frameworks  differ  from  each  other  and 
require  AIMCo's  clients  to  report  and  disclose 
different  types  of  investment  information.  In 
addition,  the  governing  bodies  for  each  framework 
frequently  issue  new  and  revised  accounting 
standards. 
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Some  of  AIMCo's  clients,  such  as  the  Department, 
have  access  to  the  Genvest  general  ledger  and 
Pacer  portfolio  management  systems  and  are  able 
to  prepare  financial  statements  without  additional 
information  or  assistance  from  AIMCo.  However, 
other  clients  require  additional  investment-related 
information  to  prepare  their  financial  statements  in 
accordance  with  their  particular  financial  reporting 
framework. 

Recommendation:  help  clients  meet 
financial  reporting  requirements 


RECOMMENDATION  NO.  17 


We  recommend  that  the  Alberta  Investment 
Management  Corporation  identify  financial 
reporting  requirements  in  its  investment 
management  agreements  with  clients.  The 
Alberta  Investment  Management  Corporation 
should  meet  with  the  clients  to  understand  their 
financial  reporting  frameworks,  their  financial 
accounting  requirements  and  the  investment- 
related  information  they  need  to  prepare 
financial  statements. 

Criteria:  the  standards  for  our  audit 

AIMCo  management  should: 

periodically  discuss  financial  reporting 
requirements  with  its  clients 
understand  its  clients'  financial  reporting 
frameworks  and  develop  systems  and 
procedures  to  produce  the  investment-related 
information  they  require 
have  investment  management  agreements 
with  its  clients  that  include  the  provision  of  the 
specific  financial  reporting  information  they 
require 

provide  the  agreed  upon  information  in  a  timely 
and  accurate  manner 


Our  audit  findings 


Kev  Points 


AIMCo  does  not  have  agreements  with  its 
clients  to  provide  investment  financial  reporting 
information 

Two  new  investment  accounting  standards 
were  in  place  for  December  2009.  AIMCo  did 
not  develop  systems  to  produce  the  required 
information  in  time  to  meet  client  reporting 
deadlines. 


AIMCo  management  has  discussed  financial 
reporting  requirements  with  some  of  their  clients, 
but  AIMCo  does  not  have  written  agreements 
to  provide  the  information.  Some  client  financial 
reporting  information  is  provided  by  AIMCo  and 
some  is  provided  by  the  Department. 

Two  new  accounting  standards  applicable  to  the 

financial  reporting  of  certain  AIMCo  clients  were  in 

effect  as  of  January  1 ,  2009: 

•     CICA  Handbook,  EIC-173,  requires  that 
counterparty  credit  risk  be  considered  in  the 
valuation  of  derivative  investments 
CICA  Handbook,  3862,  Financial  Instruments — 
disclosures  requires  an  entity  to  classify 
financial  instruments  using  a  fair  value 
hierarchy  which  is  based  on  the  quality  and 
reliability  of  the  information  to  estimate  fair 
value 

AIMCo  did  not  review  and  assess  the  implications 
of  these  new  standards  in  advance  of  the 
December  31 ,  2009  year-end.  AIMCo  did  not 
develop  appropriate  systems  and  procedures  to 
produce  the  investment-related  information  in  time 
to  meet  its  clients'  financial  reporting  deadlines. 

AIMCo  hired  a  public  accounting  firm  to  guide  its 
approach  to  counterparty  credit  risk  in  the  valuation 
of  derivative  investments  {CICA,  EIC-173).  The 
firm's  initial  assessment  was  that  the  effect  would 
be  immaterial.  However,  the  full  assessment  was 
incomplete  at  December  31,  2009,  and  remained 
incomplete  as  of  May  2010.  AIMCo  did  not  provide 
the  information  that  would  have  been  needed  to 
make  the  appropriate  adjustment  or  disclosure 
in  its  clients'  financial  statements.  Consequently, 
AIMCo's  clients  were  exposed  to  the  risk  of 
inaccurate  derivative  valuation  in  their  financial 
statements. 

AIMCo  did  not  review  changes  to  CICA  3862  in 
advance  of  the  December  31 ,  2009  year-end,  to 
develop  a  clear  approach  to  disclosing  the  inputs 
it  uses  to  make  fair  value  measurements.  AIMCo's 
valuations  group  prepared  an  initial  classification 
of  the  fair  value  hierarchy  for  several  investment 
pools;  AIMCo's  Controller  prepared  a  different 
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classification.  Consequently.  AIMCo's  clients  had  to 
revise  their  financial  statement  disclosures  several 
times. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  a  clear  understanding  of  its  clients' 
individual  financial  reporting  frameworks,  AIMCo 
might  not  be  providing  them  with  complete  and 
accurate  reports  of  investment  fair  values  and 
disclosures.  As  a  result,  its  clients'  financial 
statement  disclosures  might  be  incomplete  or 
inaccurate. 

General  ledger  controls 
Background 

AIMCo  records  its  investment  transactions  in 
two  systems:  Pacer  and  Genvest.  Pacer  is  an 
investment  portfolio  management  system  that 
tracks  investment  activity  (purchases,  sales, 
splits,  dividends,  maturities,  cash  deposits  and 
withdrawals,  changes  in  market  value).  Genvest 
is  a  general  ledger  system  that  is  integrated  with 
Pacer.  It  requires  no  duplication  of  data  entry  when 
operating  effectively.  Genvest  is  needed  to  produce 
trial  balances  and  to  provide  a  full  audit  trail  of 
transaction  modifications. 

AIMCo  staff  enter  investment  transactions  directly 
into  Pacer.  Genvest  is  automatically  updated 
through  journal  entries  that  use  cross-reference 
codes  from  Pacer:  however,  these  codes  do  not 
work  for  all  investment  transactions.  When  the 
cross  reference  codes  don't  work,  AIMCo  uses 
manual  journal  entries  to  update  Genvest. 

AIMCo's  investment  pools  include  cash  balances. 
AIMCo  prepares  daily  bank  reconciliations  for  all 
investment  pool  transactions  recorded  in  Pacer. 
Pacer  transactions  can  be  recorded  at  the  current 
date,  or  they  may  be  backdated. 

Department  of  Finance  and  Enterprise  staff 
access  information  from  Pacer  and  Genvest  to 
prepare  financial  statements  or  financial  statement 
information  for  pension  plans,  endowment  funds 
and  other  entities.  AIMCo  closes  Genvest  and 


Pacer  six  business  days  after  each  quarter-end, 
to  facilitate  this  process.  Department  staff  perform 
review  procedures  to  ensure  that  the  data  within 
Pacer  and  Genvest  is  reliable.  The  Department's 
procedures  include  the  following: 
cash  controls: 

preparing  monthly  bank  reconciliations  for 
each  investment  pool  and  client  to  both  the 
Pacer  and  Genvest  systems 
agreeing  individual  client  deposits  and 
disbursements  in  Genvest  to  bank 
statements 

identifying  the  nature  of  cash  transactions 
and  reviewing  them  for  reasonability,  to 
correct  coding  errors,  duplicated  entries, 
reversals  and  ensure  the  accuracy  of  large 
or  unusual  transactions 
reviewing  cash  transactions  posted 
subsequent  to  the  reporting  date,  to 
determine  the  financial  statement  effect 
investment  pool  controls: 

analyzing  entries  made  to  client's  cost 
accounts  to  identify  purchases,  disposals 
and  income  distributions,  and  recording 
them  in  a  spreadsheet 
preparing  investment  pool  working  papers 
to  reconcile  opening  cost  and  fair  values  to 
ending  balances 


Recommendation:  improve  controls  over 
investment  general  ledger 


RECOMMENDATION  NO.  18 


We  recommend  that  the  Alberta  Investment 
Management  Corporation  implement  additional 
control  procedures  so  that  the  Corporation  itself 
can  ensure  the  completeness  and  accuracy  of 
its  Genvest  investment  general  ledger. 


Criteria:  the  standards  for  our  audit 

AIMCo  should  have  effective  internal  controls  to 
ensure  that  investment  information  in  its  Genvest 
general  ledger  is  complete  and  accurate. 


Our  audit  findings 


Key  Point 


AIMCo's  control  activities  over  its  investment 
general  ledger  are  not  effective  and  continue  to  be 
supplemented  by  control  activities  performed  by 
the  Department  of  Finance  and  Enterprise. 
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AIMCo,  by  itself,  does  not  have  effective  internal 
controls  to  ensure  that  financial  information  in  its 
Genvest  investment  general  ledger  is  complete 
and  accurate.  The  Department  of  Finance  and 
Enterprise  continues  to  perform  certain  control 
activities  over  the  Genvest  investment  general 
ledger  to  supplement  control  activities  performed 
by  AIMCo.  For  example,  the  Department 
currently  performs  monthly  bank  reconciliations 
for  investment  pool  and  client  bank  accounts, 
prepares  investment  pool  working  papers,  and 
reconciles  opening  cost  and  fair  value  balances  to 
period  ending  balances.  These  control  activities 
performed  by  the  Department  identify  accounting 
errors  in  the  Genvest  investment  general  ledger 
that  the  Department  communicates  to  AIMCo.  The 
accounting  errors  are  then  corrected  by  AIMCo. 

During  its  review  procedures  for  the  year  ended 
December  31,  2009,  the  Department's  accounting 
staff  identified  a  $400  million  understatement 
of  cost  and  realized  investment  income  in  four 
investment  pools.  By  the  time  the  Department 
reported  the  errors  to  AIMCo,  it  had  already  issued 
client  reports.  A  client  used  the  AIMCo  client  report 
to  prepare  financial  statements,  understating 
investment  cost  and  realized  investment  income  by 
$4.4  million. 

AIMCo  does  not  reconcile  cash  balances  in 
Genvest  to  the  corresponding  bank  accounts  on 
a  monthly  basis.  This  procedure  is  performed  by 
the  Department.  During  our  audit,  we  identified  the 
following  differences  between  cash  reported  in  the 
Genvest  investment  general  ledger  and  the  bank 
accounts: 

For  the  Universe  Fixed  Income  Pool,  Canadian 
cash  reported  by  the  bank  was  $56  million, 
compared  to  $48  million  reported  in  Genvest. 
For  the  Global  Equities  Index  Pool,  Canadian 
cash  reported  by  the  bank  was  $317  million, 
compared  to  $352  million  in  Genvest.  US  cash 
reported  by  the  bank  was  $2  million,  compared 
to  $61  million  in  Genvest. 
For  the  Global  Equities  Master  Pool,  Canadian 
cash  reported  by  the  bank  was  nil,  compared  to 
$455  million  reported  in  Genvest. 
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AIMCo  staff  could  not  explain  the  reasons  for 
these  differences  because  they  do  not  prepare 
monthly  Genvest  bank  reconciliations.  We 
obtained  explanations  for  the  differences  through 
discussions  with  Department  staff.  We  were 
satisfied  that  the  Department's  controls  identified 
and  dealt  with  the  differences. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  adequate  investment  general  ledger 
controls,  AIMCo  needs  to  continue  to  rely  on  the 
Department's  control  activities  and  might  provide 
inaccurate  financial  reports  to  its  investment  clients. 

Information  technology  change 

management 

Background 

Changes  to  IT  systems  are  usually  done  to  improve 
the  efficiency  and  effectiveness  of  programs  or 
services  or  to  respond  to  problem  areas  or  external 
requirements,  such  as  legislative  changes. 

Well-designed  and  effective  change  management 
controls  ensure  that  staff  consistently  follow 
standardized  procedures  for  efficient  and 
prompt  handling  of  changes  to  an  organization's 
IT  systems.  Change  management  processes  also 
help  maintain  the  proper  balance  between  the  need 
for  change  and  the  potential  detrimental  impact  of 
changes. 


Recommendation:  strengthen  IT  change 
management  controls 


RECOMMENDATION 


We  recommend  that  the  Alberta  Investment 
Management  Corporation  strengthen  its  IT 
change  management  controls  to  ensure  that  it 
adequately  assesses  the  risks  of  changes,  and 
does  not  make  changes  outside  of  the  change 
management  process. 


Criteria:  the  standards  for  our  audit 

AIMCo  should  have  a  well-designed  IT  change 
management  policy,  procedures  and  controls. 
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Our  audit  findings 


Kev  Points 


•  A  large  number  of  changes  to  AIMCo's  IT 
systems  were  made  and  implemented  into  the 
systems  by  the  same  person 

•  AIMCo  does  not  have  a  detective  control  to 
ensure  that  no  IT  systems  changes  were  made 
outside  of  its  change  management  process 

We  tested  20  changes  and  found  that  15  of  the 
changes  were  implemented  into  the  production 
system  by  the  same  person,  who  developed  or 
tested  them.  These  changes  followed  AIMCo's 
change  management  policy  and  procedures. 
But  the  procedures  allowed  the  same  person  to 
develop,  test  and  implement  the  change  after 
approval.  The  procedures  did  not  have  a  control 
to  ensure  that  the  change  was  implemented  as 
approved. 

We  also  found  that: 

AIMCo  considers  direct  changes  to  data 
or  information  in  the  database  as  standard 
changes,  which  therefore  do  not  require  any 
formal  testing,  approval  or  quality  assurance. 
AIMCo  does  not  have  an  effective  control  to 
review  system-generated  logs  to  ensure  that 
no  changes  were  made  outside  of  the  change 
management  process. 

Implications  and  risks  if  recommendation 
not  implemented 

Without  effective  change  management  procedures, 
AIMCo  may  not  be  able  to  rely  on  the  IT  financial 
and  business  systems  it  uses  to  securely  provide 
complete  and  accurate  information. 

Matters  from  prior-year  audits 

Valuation  of  private  equity  and  hedge 
fund  investments — implemented 
Background 

In  our  October  2009  Report  (no.  26—  page  233), 
we  recommended  that  AIMCo  establish  a  process 
to  estimate  current  market  values  for  private  and 
hedge  fund  investments.  AIMCo  should  have 


a  process  to  obtain  the  current  market  value 
of  all  private  and  hedge  fund  investments  at 
December  31 ,  and  compare  it  to  the  recorded 
market  values  of  these  investments.  If  the  recorded 
market  values  are  significantly  different  from  the 
current  market  values,  they  should  be  adjusted. 

AIMCo's  private  investments  include  private 
equities,  private  income,  private  infrastructure 
and  timberland.  AIMCo  updates  valuations  for 
these  investments  when  the  external  managers 
submit  unaudited  quarterly  financial  information, 
which  is  generally  three  months  after  quarter-end. 
Unaudited  financial  statements  for  hedge  fund 
investments  are  obtained  monthly  by  the  custodian, 
State  Street,  with  a  one-month  time  lag. 

Our  audit  findings 

AIMCo  has  implemented  our  recommendation  by 
establishing  an  Investment  Valuation  Committee 
and  using  a  public  accounting  firm  to  assess 
the  accuracy  of  external-manager-based  market 
values  for  private  equity  investments.  The  public 
accounting  firm  reviewed  the  valuations  of  25% 
of  AIMCo's  private  equity  portfolio  and  reported 
that  the  valuations  were  reasonable.  Based  on 
this  work,  the  Valuation  Committee  concluded  that 
private  equity  valuations  were  reasonable  and  no 
adjustments  were  necessary. 

We  tested  December  31 ,  2009  private  equity 
valuations,  and  observed  that  approximately 
80%  were  based  on  external  data  less  than  three 
months  old.  For  the  remaining  private  equity 
investments,  more  recent  valuation  data  was  not 
available.  We  also  reviewed  the  public  accounting 
firm's  report  and  agreed  with  the  Valuation 
Committee's  conclusion. 

In  May  2010,  AIMCo  amended  the  Valuation 
Committee  Charter  to  require  an  annual  review 
of  the  fair  value  of  private  investments  and  the 
accuracy  of  the  external  manager  valuations. 
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Internal  audit  function — implemented 
Background 

In  our  October  2009  Report  (page  232),  we 
recommended  that  AIMCo  re-establish  an 
internal  audit  group.  The  purpose  of  internal 
audit  is  to  determine  whether  the  governance, 
risk  management  and  internal  control  processes, 
as  designed  and  represented  by  management, 
are  adequate  and  functioning  well.  Internal  audit 
provides  an  independent  and  objective  view  of 
an  organization's  risk  management  and  control 
environment  and  helps  management  to  be 
accountable  through  its  reporting  to  the  Audit 
Committee. 


Our  audit  findings 

AIMCo  has  implemented  our  recommendation  by 
having  its  Audit  Committee  approve  the  Internal 
Audit  Charter  presented  by  the  newly  appointed 
Vice  President  of  Internal  Audit.  Internal  Audit 
plans  to  evaluate  the  effectiveness  of  AIMCo's 
risk  management,  control  and  governance 
processes.  The  Vice  President  of  Internal  Audit 
reports  functionally  to  the  Audit  Committee,  and 
administratively  to  the  CEO. 


Valuation  of  real  estate  investments — 

implemented 

Background 

In  our  October  2008  Report  (page  285),  we 
recommended  that  AIMCo  improve  its  procedures 
for  the  valuation  of  real  estate  investments  by: 
developing  a  detailed  accounting  policy  for 
valuation  of  real  estate  investments  which 
considers  contingent  liabilities 
segregating  valuation  of  real  estate 
investments  from  the  portfolio  management 
role 

developing  procedures  which  reconcile  the  fair 
value  and  cost  of  real  estate  investments  in 
Genvest  to  the  audited  financial  statements  of 
the  real  estate  holding  companies 

The  accounting  policy  for  valuation  of  real  estate 
investments  states  that  the  fair  value  of  real 
estate  investments  is  reported  at  the  most  recent 
appraised  value,  net  of  any  liabilities  against  the 
real  property.  The  valuation  process  starts  with 
the  appraisal  and  takes  into  consideration  the 
ownership  percentage,  any  mortgages  against 
the  property  and  other  liabilities  such  as  incentive, 
promotional  or  development  fees. 


Controls  over  record  management — 

implemented 

Background 

In  our  October  2008  Report  (page  291 )  we 
recommended  that  AIMCo  maintain,  file  and  be 
able  to  retrieve  all  hard  copy  records  supporting 
completed  investment  transactions. 


Our  audit  findings 

AIMCo  has  implemented  our  recommendation  by 
establishing  a  key  documentation  retention  policy. 
Internal  Audit  tested  the  policy  for  compliance  with 
the  retention  process  and  found  it  to  be  effective. 
In  our  2009-2010  audit,  we  were  able  to  locate  all 
reports  selected  for  audit  testing. 


Our  audit  findings 

AIMCo  has  implemented  our  recommendation  by 
introducing  a  new  Private  Real  Estate  Valuation 
Policy  that  segregates  the  valuation  of  real 
estate  from  the  portfolio  managers,  ensuring  an 
independent  valuation.  Under  the  Policy,  the 
l-CORE  group  receives  appraisals  directly  from 
external  asset  managers  and  uses  the  appraisals, 
together  with  debt  valuations  received  from  the 
valuations  group,  and  adjustments  received  from 
the  external  asset  managers,  to  complete  the 
valuations.  The  December  31,  2009  real  estate 
valuations  were  done  independently  from  portfolio 
managers. 

The  l-CORE  group  also  developed  procedures 
to  reconcile  the  fair  value  and  cost  of  real  estate 
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investments  in  the  general  ledger  to  the  audited 
financial  statements  of  the  real  estate  holding 
companies.  We  examined  the  reconciliation 
process  for  the  private  real  estate  pool  and  found  it 
to  be  adequate. 

Controls  over  completeness  and 
accuracy  of  private  equity  partnership 
investments — implemented 
Background 

In  our  October  2007  Report  (vol.  2— page  92), 
we  recommended  that  AIMCo  (then  the 
Department  of  Finance  and  Enterprise)  reconcile 
its  investments  in  private  equity  partnerships  to 
the  audited  partnership  financial  statements.  We 
also  recommended  that  AIMCo  accrue  income  tax 
refunds  for  private  equity  investments  as  soon  as 
the  amounts  are  known. 

AIMCo  manages  11  private  equity  pools  that 
are  held  through  limited  partnerships  in  which 
the  Crown  holds  a  direct  percentage  interest  or 
through  a  Crown  corporation  (blocker  corporation), 
which  holds  the  partnership  interest  on  behalf  of 
the  Crown.  External  auditors  are  engaged  by  the 
general  partners  to  audit  the  holding  company 
financial  statements.  These  audited  financial 
statements  are  made  available  to  AIMCo  within  six 
months  after  their  year-end.  Where  the  partnership 
interest  is  held  through  a  blocker  corporation,  a 
corporate  tax  return  is  prepared  and  a  payment  or 
refund  of  income  tax  may  ensue. 


Our  audit  findings 

AIMCo  has  implemented  our  recommendation  by 
having  its  l-CORE  group  perform  reconciliations 
for  three  private  equity  pools,  and  the  Timberland, 
private  mortgage  and  private  real  estate  pools. 
The  reconciliation  process  identified  adjustments 
which  were  made  for  the  Timberland  pool.  The 
l-CORE  group  also  tracked  the  income  tax  status 
of  the  blocker  corporations.  No  material  income  tax 
refunds  were  identified. 
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This  year,  we  reviewed  the  status  of  the  private 
infrastructure  and  private  equity  pool  reconciliations 
and  found  that  substantially  all  were  completed  to 
December  31,  2008.  The  l-CORE  group  continues 
to  reconcile  these  pools  to  the  audited  financial 
statements. 

Monitoring  ISDA  agreements — 

implemented 

Background 

In  our  October  2008  Report  (no.  34— page  288),  we 
recommended  that  AIMCo  review  its  International 
Swap  Dealers  Association  (ISDA)  agreements 
regularly  to  ensure  that  AIMCo  was  protected 
from  default  risk  by  its  counterparties.  We  also 
recommended  that  the  reasons  for  any  changes 
to  the  standard  form  of  the  ISDA  agreement  be 
documented  in  writing. 

The  Department  of  Finance  and  Enterprise 
is  responsible  for  the  oversight  of  all  ISDA 
agreements  written  in  the  name  of  the  Province 
of  Alberta.  The  Department's  Derivative  Risk 
Management  Committee  monitors  and  approves 
changes  to  the  ISDA  agreements.  AIMCo  has  a 
representative  on  the  Committee. 


Our  audit  findings 

AIMCo  has  implemented  our  recommendation 
by  reviewing  its  ISDA  agreements.  AIMCo  is  in 
the  process  of  adopting  Credit  Support  Annex 
(CSA)  agreements,  in  place  of  Material  Adverse 
Change  clauses,  for  better  protection  from  the  risk 
of  counterparty  credit  default.  This  initiative  was 
approved  by  the  Derivative  Risk  Management 
Committee.  One  CSA  agreement  has  been 
signed  to  date,  and  AIMCo  expects  more  will  be 
signed  the  next  year.  To  prepare  for  the  change 
to  CSA  agreements,  AIMCo's  internal  legal 
counsel  worked  with  external  counsel  to  review 
all  ISDA  agreements.  As  per  agreement  with 
the  Department,  AIMCo's  internal  legal  counsel 
now  reviews  and  approves  all  changes  to  ISDA 
agreements  related  to  AIMCo's  investments. 
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We  issued  unqualified  auditor's  opinions  on 
the  financial  statements  of  the  Ministry  and  the 
Department  for  the  years  ended  March  31 ,  201 0 
and  2009. 

We  issued  unqualified  auditor's  opinions  for  the 
following  entities  consolidated  within  the  Ministry: 
•     For  the  years  ended  March  31 ,  201 0  and  2009: 
Alberta  Cancer  Prevention  Legacy  Fund 
Alberta  Heritage  Foundation  for  Medical 
Research  Endowment  Fund 
Alberta  Heritage  Savings  Trust  Fund 
Alberta  Heritage  Scholarship  Fund 
Alberta  Heritage  Science  and  Engineering 
Research  Endowment  Fund 
Alberta  Investment  Management 
Corporation 

Alberta  Risk  Management  Fund 
Alberta  Securities  Commission 
•     N.A.  Properties  (1994)  Ltd. 

Provincial  Judges  and  Masters  in 
Chambers  Reserve  Fund 
Supplementary  Retirement  Plan  Reserve 
Fund 

For  the  years  ended  December  31 ,  2009  and 
2008: 

Alberta  Capital  Finance  Authority 
Alberta  Pensions  Services  Corporation 
Alberta  Local  Authorities  Pension  Plan 
Corp. 

Credit  Union  Deposit  Guarantee 

Corporation 
For  the  years  ended  September  30,  2009  and 
2008: 

Gainers  Inc. 

We  issued  unqualified  review  engagement  reports 
on  Alberta  Heritage  Savings  Trust  Fund's  quarterly 
financial  statements. 

We  examined  the  financial  statements, 
management  letters,  and  audit  files  for  the  years 
ended  December  31 ,  2009  and  2008  for  Alberta 
Insurance  Council,  a  Crown-controlled  corporation 
consolidated  within  the  Ministry.  A  public  accounting 
firm  audits  the  Council. 

We  issued  unqualified  auditor's  opinions  for  all  of 
the  financial  statement  audits  we  completed  for 
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Alberta  Treasury  Branches  and  its  subsidiaries 
(ATB  Investment  Services  Inc.,  ATB  Investment 
Management  Inc.,  ATB  Securities  Inc.,  ATB 
Insurance  Advisors  Inc.)  for  the  years  ended 
March  31,  2010  and  2009. 

We  issued  unqualified  review  engagement  reports 
on  ATB's  quarterly  financial  statements. 

A  public  accounting  firm  performed  compliance 
audits  of  ATB  Investment  Services  Inc.,  ATB 
Investment  Management  Inc.,  and  ATB  Securities 
Inc.,  and  reported  directly  to  the  applicable 
regulatory  bodies.  We  reviewed  the  results  of  these 
audits: 

Mutual  Fund  Dealers  Association  of  Canada's 
Financial  Questionnaire  and  Report  as  at 
March  31,  2010 

Investment  Industry  Regulatory  Organization 
of  Canada's  Joint  Regulatory  Financial 
Questionnaire  and  Report  as  at  March  31,  2010 
Compliance  Report  on  National  Instrument 
81-102  as  required  by  the  Alberta  Securities 
Commission  for  the  year  ended  March  31 ,  201 0 

We  also  issued  unqualified  auditor's  opinions  on 
the  financial  statements  of  the  following  entities  that 
are  not  consolidated  within  the  Ministry: 
•     For  the  years  ended  March  31 ,  201 0  and  2009: 
Consolidated  Cash  Investment  Trust  Fund 
Provincial  Judges  and  Masters  in 
Chambers  (Registered)  Pension  Plan 
For  the  years  ended  December  31 ,  2009  and 
2008: 

Local  Authorities  Pension  Plan 
Management  Employees  Pension  Plan 
Public  Service  Management  (Closed 
Membership)  Pension  Plan 
Public  Service  Pension  Plan 
Special  Forces  Pension  Plan 
Supplementary  Retirement  Plan  for  Public 
Service  Managers 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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In  2009-2010,  the  Department  of  Health  and 
Wellness  had  approximately  800  employees  (FTEs) 
to  support  its  operation.  It  spent  approximately 
$13  billion,  of  which  approximately  $9  billion  was 
provided  to  Alberta  Health  Services. 

Alberta  Health  Services,  supported  by  its  over 
64,000  employees  (FTEs),  spent  approximately 
$10  billion  in  2009-2010.  Its  expenses  represent 
approximately  80%  of  the  government's  total  health 
expenses  and  approximately  25%  of  the  total 
government  expenses. 


prepared  an  annual  business  and  financial  plan 
that  was  approved  by  the  board — see  page  170 
communicated  and  monitored  compliance  with 
its  investment  policy — see  page  170 
monitored  the  performance  of  a  contractor 
providing  significant  outsourced  services — see 
page  171 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Summary  of  our  recommendations 


Ministry  and  Department 

Department  of  Health  and  Wellness  has 
implemented  our  2006 — 2007  recommendation  to 
improve  access  and  change  management  controls 
in  its  Claims  Assessment  System — see  below. 

Due  to  changed  circumstances,  we  no  longer 
follow-up  on  infrastructure  funding  for  health 
facilities  with  this  Department — see  page  164. 

Alberta  Health  Services 

Alberta  Health  Services  should: 

prepare  a  formal  transition  plan  for  the 
organization's  finance  operations — see 
page  164 

ensure  signed  agreements  are  in  place  prior  to 
constructing  capital  projects — see  page  166 
assess  the  effectiveness  of  its  membership  in 
an  insurance  reciprocal  as  a  risk  management 
tool — see  page  167 
implement  consistent  and  efficient 
accounting  processes  for  externally  restricted 
contributions — see  page  168 
improve  its  year-end  financial  reporting 
processes — see  page  169 

In  the  past  year,  Alberta  Health  Services: 

established  controls  over  and  public  reporting 
for  executive  termination  payments — see 
page  169 


Findings  and  recommendations 


Department  of  Health  and 
Wellness 

Claims  assessment  system — 

implemented 

Background 

In  our  October  2007  Report  (vol.  2 — page  107),  we 
recommended  that  the  Department  of  Health  and 
Wellness  improve  access  and  change  management 
controls  in  its  Claims  Assessment  System  (CLASS) 
by: 

regularly  reviewing  access  to  CLASS  and 
documenting  the  procedures  for  the  review 
reviewing  table  modification  reports  and 
documenting  the  procedures  for  the  review 
reviewing  change  management  processes 
when  data  is  migrated  from  test  to  production 
environment  within  CLASS 
documenting  the  purpose  of  data  tables  in 
CLASS 

Our  audit  findings 


Key  Points 


•  Procedural  documentation  completed 

•  Built-in  functions  in  CLASS  adequate  to  avoid 
conflicting  role  assignments 

The  Department  has  documented  its  procedures 

for  reviewing: 

access  to  CLASS — Management  reviews 
access  quarterly  on  a  sample  basis. 
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table  modification  reports — Management 
reviews  the  table  modification  report  weekly, 
change  management  processes  when 
migrating  data  from  test  to  production 
environment — The  Department  has 
implemented  a  policy  to  ensure  segregation  of 
duties.  The  individual  making  changes  in  the 
production  environment  will  not  be  responsible 
for  reviewing  the  table  modification  report. 

Management  does  not  plan  to  document  the 
purpose  of  data  tables  in  CLASS.  Its  rationale  is 
that  the  amount  of  time  needed  to  complete  the 
documentation  exceeds  the  incremental  benefits. 
Management  asserts  that  the  built-in  functions 
in  CLASS  serve  the  purpose  of  avoiding  the 
assignment  of  conflicting  roles  to  staff.  We  accept 
management's  assertions. 

Infrastructure  funding  for  health 
facilities — changed  circumstances 
Background 

In  our  October  2008  Report  (page  301 ),  we 
recommended  that  the  Department  of  Health  and 
Wellness  improve  controls  over  infrastructure 
grants  for  health  facilities  by  implementing: 

agreements  with  grant  recipients  that  clearly 
outline  terms  and  conditions,  roles  and 
responsibilities  and  reporting  requirements 
a  process  to  obtain  periodic  reporting  on 
project  status 


Our  audit  findings 


Key  Point 


Management  of  health  facility  capital  grants 
transferred  to  Ministry  of  Infrastructure 

During  2009-2010,  the  Department  implemented 
a  standard  agreement  for  health  facility  capital 
grants.  However,  management  informed  us  that 
the  responsibility  of  managing  health  facility  capital 
grants  was  transferred  from  the  Ministry  of  Health 
and  Wellness  to  the  Ministry  of  Infrastructure  on 
April  1,  2010.  Due  to  this  change  in  circumstances, 
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we  will  not  follow  up  on  the  recommendation  with 
the  Ministry  of  Health  and  Wellness. 

Alberta  Health  Services 

Financial  operations  transition 
Background 

On  April  1,  2009,  Alberta  Health  Services  (AHS) 
commenced  as  one  organization  after  the  merger 
of  nine  regional  health  authorities,  the  Alberta 
Cancer  Board,  the  Alberta  Mental  Health  Board 
(AMHB),  and  the  Alberta  Alcohol  and  Drug 
Abuse  Commission  (AADAC)  (the  predecessor 
organizations).  Before  April  1,  2009,  many  finance 
staff  had  already  left  the  organization,  as  the 
merger  process  had  begun  in  2008. 

In  2009,  AHS  implemented  its  own  general  ledger 
accounting  system  (referred  to  as  the  topside 
ledger).  This  system  continues  to  be  fed  data 
from  the  general  ledgers  of  the  predecessor 
organizations.  Processing  within  these  general 
ledgers  continues  much  the  same  as  when  the 
predecessor  organizations  were  separate. 

Management  intends  to  finish  amalgamating 
various  systems,  such  as  the  general  ledger, 
payroll,  purchasing  and  revenue  systems,  over  the 
next  few  years. 


Recommendation:  financial  operations 
transition  plan 


RECOMMENDATION  NO.  19 


We  recommend  that  Alberta  Health  Services 
prepare  and  implement  a  formal  transition  plan 
for  the  organization's  finance  operations.  The 
plan  should  include  and  integrate  the  following: 
assessing  the  resources,  timelines  and 
critical  path  needed  to  consolidate  the 
general  ledger  and  sub-ledger  systems 
ensuring  rigorous  change  management 
controls  are  applied  before  implementing 
application  system  changes 
harmonizing  financial  reporting  policies  and 
processes  across  the  organization 
determining  the  adequate  amount  of 
human  resources  and  skill  levels  required 
to  implement  the  plan  and  then  keep  the 
processes  operational 
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Criteria:  the  standards  for  our  audit 

AHS  should  have  sufficient  project  management 
processes  and  controls  in  place  to  manage 
significant  organizational  changes. 


Our  audit  findings 


Key  Points 


•  Errors  were  noted  in  the  way  data  was  processed 
from  predecessor  organization's  general  ledgers 

•  Rigorous  change  management  processes  for 
applications  should  be  used 

•  Financial  reporting  processes  from  predecessor 
organizations  not  yet  fully  harmonized 

General  ledgers 

After  implementing  the  topside  ledger,  AHS  found 
numerous  errors  in  the  way  data  was  being 
processed  from  the  predecessor  organizations' 
ledgers.  This  occurred  because: 

Adjusting  entries  made  by  the  predecessor 
organizations  were  not  included  in  their 
respective  ledgers  and,  therefore,  the  topside 
ledger  did  not  pick  them  up.  This  resulted 
in  more  than  $500  million  in  misclassified 
expenses  that  needed  to  be  corrected  in  the 
topside  ledger. 

Transactions  with  Covenant  Health  were 
classified  uniquely  in  Capital  Health's 
general  ledger.  This  unique  classification 
was  not  picked  up  by  the  topside  ledger  and 
approximately  S420  million  of  expenses  were 
omitted. 

The  topside  ledger  layered  on  top  of  the 
multiple  legacy  general  ledgers  increases  the 
risk  of  error,  and  required  a  significant  amount 
of  AHS  staff  time  to  reconcile  the  year-end 
accounts  between  the  two  layers. 

Inaccurate  data  had  an  impact  on  internal  reporting 
systems.  AHS  staff  spent  a  significant  amount  of 
time  making  1,300  manual  entries  to  reclassify  data 
in  the  general  ledger  system.  Most  of  these  entries 
did  not  impact  amounts  at  the  financial  statements 
classification  level.  The  initial  budget  prepared 
and  approved  in  August  2009  was  not  comparable 
to  the  actual  results  because  of  the  number  and 
magnitude  of  adjustments  made  to  the  underlying 
data  throughout  the  fiscal  year.  Therefore,  AHS 


amended  the  2009-2010  budget  three  times— in 
December  2009,  April  2010,  and  May  2010. 

Change  management  processes  for 
application  systems 

When  implementing  a  new  or  significantly  revised 
application  system,  rigorous  testing  is  usually 
performed  to  ensure  the  application  will  function 
as  intended  before  putting  the  application  into 
active  use.  While  AHS  did  have  its  internal  audit 
group  complete  an  audit  of  the  topside  ledger's 
implementation,  this  was  done  about  nine  months 
after  the  new  system  was  put  into  active  use.  It 
took  several  months  after  the  internal  audit  was 
completed  to  identify  and  correct  anomalies  found 
during  that  audit  and  the  Finance  group's  own 
post-implementation  review. 

In  instances  where  rigorous  testing  cannot  be 
completed  on  a  new  system  before  it  is  put  into 
production,  another  control  mechanism  is  to  run 
the  new  system  in  parallel  with  the  old  system  for 
some  time  period.  This  helps  detect  problems  with 
the  new  system  in  a  timely  manner  and  provides 
a  back-up  if  the  new  system  fails.  AHS  did  not 
run  the  predecessor  organizations'  ledgers  and 
the  topside  ledger  in  parallel.  Instead,  processing 
has  been  unsystematically  commingled  between 
the  two  layers  of  ledgers.  Rather  than  provide  a 
compensating  control  mechanism,  this  approach 
confounds  the  control  processes  and  increases  the 
risk  of  error. 

Financial  reporting  policies  and  processes 
The  predecessor  organizations  had  different 
policies  and  processes  for  their  financial 
operations.  AHS  staff  identified  some  of  these 
areas,  such  as  capital  assets  and  financial 
instruments,  and  made  conforming  changes. 
However,  as  we  completed  the  year-end  audit, 
we  found  other  instances  where  AHS  has  not  yet 
harmonized  policies  and  processes. 

These  included: 

deferred  contributions  (see  our  recommendation 
on  page  168) 

accounting  for  employee  benefit  plans 
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accounting  for  doubtful  accounts  receivable 
vacation  accruals 

These  differences  led  to  further  adjustments  to  the 
financial  statements  during  the  audit  period.  (Also, 
see  our  repeated  recommendation  on  page  169.) 

The  predecessor  organizations  recorded  various 
transactions  between  each  other  and  within  their 
own  organization  when  they  were  separate  entities. 
After  the  merger,  some  of  the  staff  continued  to 
record  these  transactions  while  others  did  not.  The 
lack  of  a  formal  policy  on  which  transactions  should 
be  maintained  for  internal  costing  purposes  and 
which  should  be  discontinued,  increased  the  risk 
of  not  identifying  all  necessary  elimination  entries 
for  AHS's  consolidated  statements.  AHS's  multiple 
accounts  receivable  ledgers  compounded  the 
difficulty  of  identifying  all  of  the  inter-organizational 
transactions. 

Human  resource  requirements 

At  the  time  of  our  audit,  AHS  had  not  assessed  the 
resources  required  to  complete  all  of  the  systems 
mergers  or  its  ongoing  staff  needs  for  finance 
operations.  This  contributed  to  missing  several 
reporting  deadlines  and  a  significant  number  of 
errors  in  the  draft  financial  statements. 

AHS  has  lost  a  significant  amount  of  corporate 
knowledge  within  its  financial  operations  since  the 
merger  began.  A  system  to  retain  and  transfer  this 
corporate  knowledge  has  not  been  developed.  In 
the  absence  of  this  historical  corporate  knowledge, 
new  policies  and  training  need  to  be  developed  to 
ensure  consistent  processes  are  followed  across 
the  merged  organization. 


Implications  and  risks  if  recommendation 
not  implemented  

Operating  multiple  general  ledgers  is  inefficient 
because  of  the  additional  manual  control  processes 
needed  to  reconcile  them  to  the  topside  ledger.  It 
also  creates  a  risk  of  duplicating  general  ledger 
entries  at  the  two  levels  of  general  ledgers. 


Not  applying  rigorous  change  management 
controls  to  future  systems  consolidation  could  lead 
to  further  significant  errors  in  processing  when  AHS 
consolidates  its  general  ledger,  payroll,  and  other 
financial  systems. 

Villa  Caritas 
Background 

Villa  Caritas  is  a  150-bed  facility  in  Edmonton. 
In  2007,  the  former  Capital  Health  (now  Alberta 
Health  Services  [AHS])  issued  a  request  for 
proposal  (RFP)  to  construct  a  facility  whose 
beds  would  replace  existing  long-term  care  beds 
in  the  region.  Several  proponents  bid  on  the 
public-private-partnership  agreement,  which  was 
ultimately  awarded  to  the  former  Caritas  Health 
(now  Covenant).  Capital  Health's  anticipated 
funding  commitment  to  this  project  was  provided 
by  a  $12  million  infrastructure  grant  from  the 
Department  of  Health  and  Wellness,  with  the 
balance  of  the  facility  to  be  financed  by  the  partner. 


Recommendation:  funding  agreements  for 
capital  projects 


RECOMMENDATION  NO.  20 


We  recommend  that  Alberta  Health  Services 
ensure  that  funding  agreements  are  signed  prior 
to  commencement  of  construction  of  capital 
projects,  and  are  formally  amended  when  there 
are  significant  changes  in  the  scope  of  a  capital 
project. 


Criteria:  the  standards  for  our  audit 

Funding  agreements  should  be  signed  prior  to 
construction  and  amended  for  significant  changes 
in  project  scope.  The  agreement  should  cover: 
responsibilities  for  designing,  operating, 
maintaining,  and  constructing  the  facility 
functional  specifications  and  ownership  of  the 
facility 

funding  commitments  of  the  respective 
parties  for  the  construction,  operation,  and 
maintenance  of  the  facility 
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Our  audit  findings 


Key  Point 


The  construction  of  a  facility  is  almost  complete 
without  a  signed  agreement  in  place. 

As  of  May  2010,  Covenant  had  almost  finished 
construction  of  Villa  Caritas.  Residents  will  move 
into  the  facility  in  the  fall  of  2010.  However,  at  the 
time  we  completed  our  audit,  no  agreement  had 
been  signed  between  AHS  and  Covenant  Health  or 
their  predecessor  organizations. 

In  2009,  AHS  decided  to  change  the  purpose 
of  the  facility  from  a  long-term  care  facility  to  a 
mental  health  facility  including  120  acute  geriatric 
beds  and  30  long-term  care  beds.  This  significant 
change  necessitated  amendments  to  the  building 
specifications.  Conversion  to  an  acute  care  facility 
also  prompted  AHS  to  reconsider  the  financing 
structure  of  the  facility.  Rather  than  funding 
$12  million  up  front  with  the  balance  to  be  financed 
by  its  partner,  Covenant,  AHS  intends  to  fund  the 
full  cost  of  the  facility  up  front.  At  the  time  of  our 
audit,  AHS  was  negotiating  with  the  Department  of 
Health  and  Wellness  to  secure  approximately  an 
additional  $40  million  for  this  purpose. 

When  we  concluded  our  audit  in  June,  there  was 
no  formal  written  agreement  between  AHS  and 
Covenant.  Without  a  final  agreement  in  place  prior 
to  construction,  the  roles  and  responsibilities  of 
the  parties  were  not  clearly  defined.  Although  the 
scope  of  the  project  and  the  role  of  the  contractor 
was  contemplated  in  the  original  RFP  documents, 
the  change  in  project  purpose  made  it  especially 
important  to  ensure  key  terms  and  conditions, 
such  as  who  controlled  the  facility,  were  agreed 
upon  prior  to  construction.  A  signed  agreement 
would  also  have  allowed  AHS  to  ensure  that  risks, 
including  legal  risks,  were  allocated  to  the  proper 
party. 


Implications  and  risks  if  recommendation 
not  implemented 

Due  to  a  lack  of  formal  agreement,  Villa  Caritas 
may  not  be  constructed  or  funded  to  both  parties' 


expectations,  which  may  require  difficult  resolution 
processes  after  construction  has  finished. 

Without  a  contract  that  specifies  the  scope  and 
budget  for  a  capital  project,  there  is  a  greater  risk 
of  project  cost  escalation  that  would  be  borne  by 
taxpayers.  Also,  other  projects  in  AHS's  capital  plan 
may  have  to  be  delayed  or  cancelled. 

Provincial  Health  Authorities  of  Alberta 
Liability  and  Property  Insurance  Plan 
Background 

The  Provincial  Health  Authorities  of  Alberta  Liability 
and  Property  Insurance  Plan  is  an  insurance 
reciprocal  of  which  AHS  is  a  subscriber  along  with 
approximately  70  other  organizations.  The  purpose 
of  the  reciprocal  is  to  share  risks  of  liability  to 
lessen  the  impact  on  any  one  subscriber.' 

AHS  and  the  other  subscribers  pay  premiums  to 
the  plan  annually,  much  like  a  regular  insurance 
policy.  However,  unlike  a  regular  insurance 
policy,  subscribers  can  be  subject  to  cash  calls 
if  the  reciprocal  group  experiences  claims  in 
excess  of  accumulated  premiums  at  any  given 
time.  Subscribers  can  also  be  issued  a  dividend 
if  premiums  exceed  experienced  losses  and 
minimum  equity  requirements  subject  to  the  plan's 
advisory  board  approval. 


Recommendation:  effectiveness  of 
insurance  reciprocal 


RECOMMENDATION  NO.  21 


We  recommend  that  Alberta  Health  Services 
assess  the  effectiveness  of  its  arrangement  with 
the  Liability  and  Property  Insurance  Plan  as  a 
risk  management  tool,  and  assess  the  resulting 
accounting  implications. 

Criteria:  the  standards  for  our  audit 

AHS  should  test  the  effectiveness  of  its 
risk-management  strategies. 


1      Note  19(f)  In  AHS's  financial  statements  provides 

information  about  coverage  limits  of  the  plan,  as  well  as 
information  about  the  plan's  assets  and  liabilities. 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


Health  and  Wellness 


icial  Statement  Audits  and  Other  Assurance  Work 


Our  audit  findings 


AHS  may  be  in  essentially  the  same  economic 
position  as  being  self-insured 

AHS  appoints  six  of  seven  trustees  to  the  plan's 
advisory  board.  AHS  is  the  single  largest  subscriber 
and  directly  accounts  for  an  estimated  80%  of 
the  plan's  activity  Organizations  such  as  AHS's 
subsidiaries,  primary  care  networks,  and  private 
not-for-profit  organizations  funded  by  AHS  are  the 
majority  of  the  other  subscribers.  Therefore,  AHS 
has  indirect  commitments  and  exposures  to  the 
plan  through  these  organizations. 

Since  AHS  would  have  to  pay  additional  funds  into 
the  plan  in  the  event  claims  exceed  accumulated 
assets,  or  can  receive  dividends  if  there  is  a 
sufficient  surplus,  AHS  retains  a  residual  interest 
in  the  plan's  net  assets  or  liabilities.  This  contrasts 
to  a  typical  trust  or  insurance  arrangement  where 
the  contributor  would  not  have  residual  risks  and 
benefits. 

The  combination  of  this  residual  interest  and  that 
AHS  and  its  related  organizations  make  up  the 
majority  of  subscribers  in  the  reciprocal  could  mean 
AHS  is  essentially  in  the  same  economic  position 
as  being  self  insured. 

AHS  does  not  record  its  share  of  the  assets, 
liabilities,  and  equity  of  the  plan  in  its  financial 
statements  because  it  has  not  yet  fully  assessed 
the  nature  of  its  relationship  with  the  plan. 


Implications  and  risks  if  recommendation 
not  implemented 

The  reciprocal  insurance  plan  may  not  effectively 
share  risk  and  lessen  the  impact  on  AHS  of  claims 
against  it. 

Deferred  contributions  and  deferred 

capital  contributions 

Background 

AHS  obtains  contributions  from  various  government 
bodies,  including  Alberta  Health  and  Wellness 
and  Alberta  Infrastructure.  AHS  had  $1  billion  in 
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deferred  capital  contributions  and  $730  million  in 
deferred  contributions  at  March  31,  2010. 

Starting  in  fiscal  2010,  AHS  Calgary  area  obtains 
initial  grant  agreements  and  grant  funding  receipts 
from  Alberta  Health  and  Wellness  and  Alberta 
Infrastructure.  The  other  AHS  areas  then  receive 
the  funds  from  Calgary,  and  administer  the  various 
balances  including  tracking  related  expenses. 
These  expenses  are  tracked  through  functional 
centres  or  projects  set  up  in  the  general  ledgers  or 
project  costing  module.  Many  different  functional 
centres  can  be  assigned  to  a  particular  grant. 


Recommendation:  accounting  for 
restricted  contributions 


RECOMMENDATION  NO.  22 


We  recommend  that  Alberta  Health  Services 
implement  consistent  and  efficient  accounting 
processes  for  externally  restricted  contributions 
to  assure  the  AHS  Board  that  it  is  complying 
with  the  restrictions  attached  to  those 
contributions. 


Criteria:  the  standards  for  our  audit 

There  should  be  consistent  practices  and 
processes  for  administering  and  accounting 
for  deferred  contributions  and  deferred  capital 
contributions. 


Our  audit  findings 


Key  Point 


The  manual  tracking  and  splitting  of  the  contributions 
into  voluminous  amounts  of  project  code  allocations 
increases  the  risk  of  error 

AHS  tracks  approximately  7,200  different  projects 
related  to  externally  restricted  contributions. 
More  than  90%  of  these  projects  are  less  than 
$500,000.  During  the  audit,  we  found  material 
errors  in  the  deferred  contribution  balances 
requiring  $163  million  of  adjustments  to  the  draft 
financial  statements.  Inconsistent  manual  tracking 
processes  amongst  the  former  regions  combined 
with  the  disaggregation  of  contributions  into  a 
voluminous  amount  of  project  code  allocations 
increases  the  risk  of  error  and  inefficiency.  We 
also  found  AHS  does  not  ensure  unspent  funds 
assigned  to  one  project  are  applied  to  eligible 
expenses  in  another  project.  For  example, 
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we  found  $1 .7  million  in  unspent  funds  from  a 
pandemic  planning  grant  were  not  applied  to 
eligible  H1N1  project  expenditures. 

Implications  and  risks  if  recommendation 
not  implemented 

Manual  and  inconsistent  processes  present  a  risk 
of  material  errors.  AHS's  existing  processes  are 
time  consuming,  subject  to  error  and  inefficient. 

Year-end  financial  reporting 
processes — recommendation  repeated 
Background 

Last  year  we  found  a  lack  of  clear  roles, 
responsibilities  and  direction  resulted  in  inaccurate, 
incomplete  and  untimely  financial  statements  at 
AHS's  predecessor  organizations.  Therefore,  we 
recommended  AHS  improve  its  year-end  financial 
reporting  practices.  As  described  in  the  background 
of  recommendation  no.  19  on  page  164,  these 
organizations  merged  on  April  1,  2009. 

Recommendation:  year-end  financial 
reporting  processes 


RECOMMENDATION  NO.  23— REPEATED 


We  again  recommend  that  Alberta  Health 
Services  improve  its  year-end  financial  reporting 
processes  by  improving  processes  to  identify 
and  resolve  key  accounting  risks  and  reporting 
issues  on  a  timely  basis. 

Criteria:  the  standards  for  our  audit 

There  should  be  appropriate  resources,  processes 
and  controls  in  place  to  ensure  that  year-end 
financial  statements  are  accurate,  complete  and 
timely. 

Our  audit  findings 


Key  Points 


•  Steps  were  taken  to  define  roles,  responsibilities 
and  decision-making  authorities  relating  to 
financial  reporting 

•  Processing  data  through  multiple  general  ledgers 
and  the  identification  and  resolution  of  key 
accounting  issues,  continues  to  provide  challenges 
in  producing  accurate  financial  statements 

We  found  that  AHS  has  taken  steps  to  define 
roles,  responsibilities  and  decision-making 


authorities  relating  to  financial  reporting.  However, 
we  continue  to  find  that  as  a  result  of  inefficient 
processes  surrounding  the  multiple  general  ledgers 
and  identification  and  resolution  of  key  accounting 
issues,  AHS  has  had  difficulty  producing  accurate 
financial  statements  within  the  necessary  timelines. 

During  the  year,  management  decided  to  track 
significant  matters  and  issues  on  an  "issue  list." 
This  list  formed  the  basis  of  ongoing  consultation 
with  us.  Initially,  management  was  proactive  in 
identifying  such  issues  and  flagging  them  for  our 
discussion  on  a  timely  basis.  However,  as  a  result 
of  turnover  and  other  constraints  noted  above, 
some  of  the  issues  remained  unresolved  until 
year-end  and  even  resulted  in  audit  adjustments. 
AHS  corrected  errors  totaling  $311  million  that  were 
identified  through  the  audit. 

The  individually  largest  corrections  were: 

$59  million  for  capital  contributions  recorded  as 
receivable  but  not  confirmed  by  AHW 
$69  million  related  to  missing  a  reversal  of  an 
elimination  entry 

$63  million  related  to  capital  contributions  that 
should  have  been  transferred  to  unamortized 
external  capital  contributions  in  2010,  but  were 
not 

Implications  and  risks  if  recommendation 
not  implemented 

AHS  will  have  inaccurate,  incomplete  and  untimely 
financial  statements  and  management  may  make 
incorrect  financial  decisions  if  it  relies  on  this 
information. 

Implemented  recommendations 

Executive  termination  payments — 

implemented 

Background 

In  our  October  2009  Report  (no.  27— page  256), 
we  recommended  that  Alberta  Health  Services 
establish  controls  for  executive  termination 
payments  by: 

developing  and  implementing  appropriate 

approval  and  oversight  processes 
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clearly  defining  termination  and  post- 
termination  benefits  in  employment  contracts 
including  future  termination  benefits  in  the 
salary  and  benefit  disclosure  in  the  financial 
statements 

Pages  256  to  260  of  our  October  2009  Report 
describe  in  detail  our  findings  supporting  this 
recommendation.  In  summary,  we  found  that 
termination  benefits  agreed  to  by  the  former 
regional  health  authorities  with  their  respective 
executive  managers  varied  significantly.  In  some 
cases,  termination  benefits  were  augmented  in 
relation  to  bonuses  and  retirement  plans  even 
though  contractual  requirements  to  pay  these 
amounts  were  unclear. 

We  also  found  that  there  was  a  lack  of  oversight  by 
AHS  management  and  its  Board  members  in  the 
entire  severance  process. 

While  AHS  did  disclose  the  value  of  termination 
benefits  paid,  we  also  recommended  that  AHS 
follow  private  sector  best  practices  and  disclose 
contractual  termination  benefits  for  existing 
executive  managers. 

Our  audit  findings 

AHS  developed  standardized  contracts  for  its 
senior  executives  that  explicitly  define  termination 
and  post-termination  benefits.  These  contracts  will 
apply  prospectively  to  newly  hired  executives.  For 
executives  who  previously  had  termination  benefits 
defined  in  their  contract  with  a  former  regional 
health  authority,  AHS  remains  contractually  bound 
to  these  terms  unless  the  executive  renegotiates 
their  contract  and  agrees  to  revised  termination 
benefits. 

For  continuing  employees  who  do  not  have 
termination  benefits  pre-defined  in  their  contract, 
AHS  has  implemented  guidelines  to  ensure 
consistent  termination  payments.  The  guidelines 
recommend  the  amount  of  termination  benefits. 
These  guidelines  are  based  on  the  same  factors 


the  law  takes  into  consideration,  such  as  length 
of  service  and  employee  age.  In  addition  to  the 
guidelines,  termination  payment  recommendations 
are  reviewed  and  approved  through  AHS's  human 
resources  department.  We  tested  a  sample  of 
36  termination  payments  and  found  that  the 
guidelines  were  applied  consistently  and  approved 
according  to  the  process  defined  in  the  guidelines. 
Since  the  process  is  now  administered  by  human 
resources  and  not  an  external  party,  we  found 
sufficient  documentation  supporting  termination 
decisions. 

AHS  implemented  the  last  part  of  our 
recommendation  by  describing  the  benefits  that 
would  become  payable  to  existing  executives  in  the 
event  of  termination.  This  information  is  disclosed 
in  the  footnotes  to  Schedule  2  of  the  consolidated 
financial  statements  for  each  executive.  In  the 
case  of  the  Chief  Executive  Officer,  AHS  has 
also  published  his  complete  contract  including 
termination  benefits  on  the  AHS  website. 

Budget  approval — implemented 
Background 

In  our  October  2009  Report  (no.  30— page  267), 
we  recommended  that  Alberta  Health  Services 
prepare  an  annual  business  plan  and  financial  plan 
and  have  them  approved  by  the  Board. 

Our  audit  findings 

Management  completed  a  financial  plan  for  fiscal 
2009-2010  which  was  approved  by  the  AHS 
Board  on  August  8,  2009.  Based  on  this  plan, 
management  has  monitored  the  organization's 
performance.  AHS  also  prepared  a  business  plan 
which  outlines  its  strategic  direction  for  2009-2012. 
The  plan  communicates  the  entity's  strategies, 
goals  and  direction  required  to  achieve  its  goals. 

Compliance  with  investment  policy — 
implemented 


Background 


In  our  October  2009  Report  (page  280),  we 
recommended  that  Alberta  Health  Services 
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communicate  its  investment  policy  to  its  asset 
manager  and  monitor  its  investment  portfolio 
on  a  regular  basis  to  ensure  compliance  with  its 
investment  policy. 


Our  audit  findings 

In  the  current  year,  AHS  communicated  its 
investment  policy  in  writing  to  both  the  various 
asset  managers  previously  serving  the  former 
regional  health  authorities,  as  well  as,  the  new 
asset  manager  taking  over  AHS's  whole  investment 
portfolio  during  the  year.  AHS's  internal  audit  group 
reviews  compliance  with  the  policy  and  reports 
to  the  Audit  and  Finance  Committee  of  the  Board 
quarterly.  Any  instances  of  non-compliance  are 
followed  up  by  AHS's  treasury  staff  with  the  asset 
manager  for  remediation. 

Monitoring  service  provider  compliance 
and  performance — implemented 
Background 

In  our  2006  October  Report  (no.  36— page  128),  we 
recommended  that  a  predecessor  to  Alberta  Health 
Services  monitor  the  performance  of  a  contractor 
using  service-level  standards  and  reporting 
timelines  agreed  to  between  the  contractor  and 
former  Calgary  Health  Region.  The  authority  had 
outsourced  significant  human  resource  processes 
to  the  contractor,  including  payroll. 


Our  audit  findings 

AHS  negotiated  24  service  level  agreements 
(SLAs)  with  the  contractor,  covering  processes 
such  as  payroll  and  the  HR  support  centre.  Each 
of  the  SLAs  include  key  performance  indicators 
to  measure  the  contractor's  performance. 
The  contractor  reports  monthly  to  AHS  on 
these  performance  measures.  We  found  that 
management  implemented  a  process  to  review 
these  reports  and  follow  up  with  contractor  on 
targets  not  met.  Periodically,  management  also 
requests  data  supporting  the  performance  measure 
results  to  validate  them  on  a  sample  basis. 


Financial  statements 


The  Ministry's  consolidated  financial  statements 
include  the  accounts  of  the  Department,  Alberta 
Health  Services,  Health  Quality  Council  of  Alberta, 
Alberta  Cancer  Foundation,  and  Calgary  Health 
Trust. 

Our  auditor's  opinions  on  the  Ministry  and 
Department  financial  statements  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 

We  issued  unqualified  auditor's  opinions  on 
the  financial  statements  for  the  years  ended 
March  31 ,  2010  and  2009,  of  the  following  entities: 
Alberta  Cancer  Foundation 
Alberta  Health  Services 
Calgary  Laboratory  Services  Ltd..  Carewest, 
and  Capital  Care  Group  Inc.— wholly  owned 
subsidiaries  of  Alberta  Health  Services 
Health  Quality  Council  of  Alberta 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


Financial  Statement  Audits  and  Other  Assurance  Work 


Health  and  Wellness 


■J2  Report  of  the  Auditor  General  of  Alberta 


October  2010 


Housing  and  Urban  Affairs 


Summary  of  our  recommendations 


For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry,  Department  and  Alberta  Social 
Housing  Corporation  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


Housing  and  Urban  Affairs 
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Infrastructure 


Summary  of  our  recommendations 


The  Department  implemented  our  2009 
recommendation  to  improve  application  password 
controls — see  below. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Password  controls — implemented 
Background 

In  our  October  2009  Report  (page  288).  we 
recommended  that  the  Department  of  Infrastructure 
improve  application  password  controls  or 
implement  effective  compensating  controls. 
Password  controls  are  an  integral  part  of  data 
security.  Passwords  are  needed  to  make  sure 
that  only  people  who  are  authorized  to  do  so 
can  access  the  network  or  the  business's  critical 
applications. 


Our  audit  findings 

The  recommendation  has  been  implemented.  The 
Department  has  changed  its  process  for  logging 
into  the  applications.  The  users  now  have  to  log 
into  the  applications  using  their  network  username 
and  password.  The  network  username  and 
passwords  are  managed  by  Service  Alberta  and 
are  configured  to  enforce  strong  passwords. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  for  the  years  ended  March  31 ,  201 0 
and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


Report  of  the  Auditor  General  of  Alberta 
October  2010 


Infrastructure  Stimulus  Fund 
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International  and  Intergovernmental  Relations 


For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Financial  statements 


Our  auditor's  opinions  on  the  financial 
statements  of  the  Ministry  of  International  and 
Intergovernmental  Relations  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 
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International  and  Intergovernmental  Relations 
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Justice  and  Attorney  General 


Summary  of  our  recommendations 


The  Department  has  implemented  our 

October  2007  recommendation  to  improve  controls 

over  the  Civil  and  Sheriff  Entry  System — see  below. 

The  Office  of  the  Public  Trustee  should  improve 

controls  for: 

inputting  new  vendors  in  its  Public  Trustee 
Information  System  (PTIS) — see  below 
issuing  and  stopping  recurring  payments — see 
page  180 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Department  of  Justice  and 
Attorney  General 

Judicial  information  technology 
security — implemented 
Background 

In  our  October  2007  Report  (vol.  2— page  131 ), 
we  recommended  the  Department  of  Justice 
improve  controls  over  the  Civil  and  Sheriff  Entry 
System  (CASES)  by  developing,  documenting  and 
implementing  IT  security  policies  consistent  with 
the  guidance  in  the  Blueprint  for  Security  of  Judicial 
Information.^ 


Our  audit  findings 

The  Department  implemented  this  recommendation 

by: 

Documenting  its  procedures  for  creating  and 
terminating  users  in  CASES. 
Developing  an  enterprise  risk  management 
framework  to  provide  direction  to  all  business 

1      Blueprint  for  the  Security  of  Judicial  Information,  Canadian 
Judicial  Council.  Second  edition,  2006 


areas,  including  the  courts,  on  how  to  identify. 

analyze  and  mitigate  risks. 

Developing  an  online  training  package  to 

provide  all  Department  employees,  including 

courts  staff,  with  IT  security  awareness  and 

training. 

Creating  a  number  of  automated  checks  that 
look  for  security  events  such  as  expired  users 
or  invalid  passwords.  If  there  is  a  security 
event  on  the  network  or  CASES,  the  system 
generates  a  report.  Management  reviews  these 
reports. 

Developing  change  management  procedures 
for  CASES. 

Office  of  the  Public  Trustee 

Creating  new  vendors  in  Public  Trustee 

Information  System 

Background 

The  Office  of  the  Public  Trustee  operates  under 
the  authority  of  the  Public  Trustee  Act,  to  protect 
the  financial  interests  of  vulnerable  Albertans  by 
administering  the  estates  of  represented  adults, 
decedents  and  minors.  In  doing  so,  the  Office  of 
the  Public  Trustee  issues  payments  on  behalf  of 
their  clients. 

To  issue  a  payment  from  a  client's  account,  the 
vendor  must  first  be  set  up  in  PTIS.  The  trust  officer 
completes  a  form  requesting  a  new  vendor  to  be 
created  in  PTIS.  The  vendor  is  then  set  up  in  PTIS 
by  data  entry  staff. 

To  issue  a  payment  to  a  vendor,  the  trust  officer 
completes  a  transaction  request  form  which  is 
forwarded  to  data  entry  staff  for  payment.  A  cheque 
is  then  issued.  The  Office  of  the  Public  Trustee 
has  a  policy  that  payments  over  $4,000  must  be 
authorized  by  a  senior  trust  officer. 
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Justice  and  Attorney  General 


Recommendation:  new  vendor  set-up 


RECOMMENDATION  NO.  24 


We  recommend  that  the  Office  of  the  Public 
Trustee  improve  controls  for  inputting  new 
vendors  in  its  Public  Trustee  Information  System 

Criteria:  the  standards  for  our  audit 

Adequate  controls  should  exist  to  input  new 
vendors  prior  to  processing  payments  to  those 
vendors. 


Our  audit  findings 

Prior  to  setting  up  a  new  vendor  in  PTIS,  there  is 
no  requirement  to  review  the  validity  of  the  vendor. 
The  trust  officer  provides  the  name  and  address  of 
the  vendor  to  another  employee  for  input  into  PTIS 
In  some  cases,  a  vendor  may  provide  cleaning 
or  transportation  services  for  a  represented  adult 
client.  However,  there  is  no  requirement  to  provide 
supporting  documentation  such  as  a  letter,  invoice 
or  other  correspondence  to  confirm  the  validity  of 
the  vendor  or  amounts  paid. 

Once  a  vendor  is  set  up,  the  trust  officer  can 
initiate  payments  to  the  vendor.  For  payments 
under  $4,000,  there  is  no  requirement  for  another 
employee  to  authorize  the  payment.  Therefore, 
the  trust  officer  can  initiate  and  authorize  both 
the  set-up  of  a  vendor,  and  initiate  and  authorize 
payments  to  the  vendor,  without  having  another 
employee  authorize  the  payment. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  adequate  controls  over  setting  up  new 
vendors,  there  is  a  risk  that  fraudulent  payments 
may  be  made. 

Recurring  payments 
Background 

A  recurring  payment  can  also  be  set  up  in  PTIS. 
For  example,  a  recurring  payment  can  be  set  up  to 
pay  utilities  or  pay  for  monthly  services  provided  to 
the  client.  These  disbursements  will  be  made  each 
month  until  they  are  stopped  by  the  trust  officer. 
The  process  for  initiating  a  recurring  payment 
is  the  same  as  the  process  for  issuing  one-time 
disbursements. 


Recommendation:  recurring  payments 


RECOMMENDATION 


We  recommend  that  the  Office  of  the  Public 
Trustee  improve  its  controls  for  issuing  and 
stopping  recurring  payments. 

Criteria:  the  standards  for  our  audit 

Adequate  controls  over  setting  up  new  vendors 
should  exist  and  be  followed. 


Our  audit  findings 

Recurring  payments  under  $4,000  do  not  require 
authorization  by  another  employee  or  supporting 
documentation  prior  to  being  set  up  in  PTIS. 
However,  over  time  a  recurring  payment  can  add 
up  to  an  amount  in  excess  of  the  $4,000  payment 
approval  threshold  established  by  management. 

Recurring  payments  will  occur  indefinitely  on  active 
files  until  the  trust  officer  initiates  a  form  to  stop  the 
payment.  During  our  sampling,  we  did  not  find  any 
inappropriate  recurring  payments.  However,  we  did 
not  find  evidence  of  a  process  to  periodically  review 
recurring  payments  to  determine  if  the  amount 
continues  to  be  valid  and  correct. 


Implications  and  risks  if  recommendation 
not  implemented 

Inaccurate  or  inappropriate  payments  may  be 
made. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  the  Department  of  Justice 
and  Attorney  General  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 

Our  auditor's  opinions  on  the  financial  statements 
of  the  Office  of  the  Public  Trustee  for  the  years 
ended  March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Legislative  Assembly 


Financial  statements 


We  issued  unqualified  auditor's  opinions  on  the 
financial  statements  of  the  following  Offices  of 
the  Legislative  Assembly  for  the  years  ended 
March  31,  2010  and  2009: 

Legislative  Assembly  Office 

Office  of  the  Chief  Electoral  Officer 

Office  of  the  Ethics  Commissioner 

Office  of  the  Information  and  Privacy 

Commissioner 

Office  of  the  Ombudsman 

A  private  sector  firm  of  chartered  accountants 
appointed  by  the  Standing  Committee  on 
Legislative  Offices  audited  our  financial 
statements. 
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Municipal  Affairs 


Summary  of  our  recommendations 


The  Department  should  improve  its  procedures  for 
granting  and  removing  user  access  to  its  business 
applications  and  ensure  the  procedures  are 
followed — see  below. 

The  Department  has  implemented  our 
recommendation  to  enhance  controls  over 
information  technology — see  page  184. 

The  Department  has  made  satisfactory  progress 
in  implementing  improvements  to  its  management 
of  the  disaster  recovery  program.  However,  it  still 
needs  to  improve  estimating  processes  and  issue 
its  draft  guidelines  that  include  project  completion 
timelines — see  page  184. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  Recommendations 


User  access  management 
Background 

Good  user  access  management  is  one  of  the  core 
components  in  information  security  management. 
The  systems  included  in  our  audit  contain  critical 
information  that  has  an  impact  on  the  financial 
statements.  For  example,  the  Grant  Management 
System  (GMAS)  is  used  for  tracking  provincial 
grants  for  land  units  and  grants  in  lieu  of  taxes 
on  property  held  by  the  Alberta  government.  The 
Municipal  Debenture  Interest  Rebate  Program 
(MDIRP)  is  used  for  tracking  debentures  payment 
to  municipalities.  Therefore,  to  ensure  that 
only  authorized  users  access  the  Department's 
information  systems,  it  is  critical  to  enforce  strong 
user  access  management  procedures.  Such 
procedures  help  ensure  that  access  permissions 
to  information  systems  are  properly  assigned  and 
authorized,  and  removed  when  no  longer  required. 


Recommendation:  user  access  to 
information  systems 


RECOMMENDATION 


We  recommend  that  the  Department  of 
Municipal  Affairs  improve  its  procedures  for 
granting  and  removing  user  access  to  its 
business  applications  and,  ensure  those 
procedures  are  followed. 


Criteria:  the  standards  for  our  audit 

The  Department  should  have  a  documented  user 
access  management  process  and  ensure  that  it 
is  always  followed.  Levels  of  access  to  business 
applications,  including  user,  administrator,  and 
privileged  access,  should  be  requested,  approved, 
granted,  reviewed  regularly,  and  terminated  when 
no  longer  needed. 

Our  audit  findings 

We  reviewed  the  current  user  access  management 
process  for  MDIRR  GMAS  and  Municipal 
Sustainability  Initiative  (MSI)  applications  and  noted 
the  following  control  weaknesses: 

There  is  a  lack  of  segregation  of  duties  in 
the  overall  access  administration  process. 
The  requestor,  approver  and  implementer 
could  be  the  same  person  in  some  cases. 
For  example,  the  whole  process  for  granting 
access  to  MDIRP  and  MSI  could  involve  only 
one  individual. 

User  access  requests  to  the  business 
applications  are  not  standardized.  The  requests 
can  be  made  in  an  access  request  form,  by 
email  or  verbally. 

User  access  privileges  are  not  removed 
promptly.  In  October  2009,  we  identified 
one  instance  where  an  employee,  who  left 
the  Department  in  April  2009,  still  had  user 
access  privileges  including  remote  access. 
The  Department  terminated  this  user's  access 
after  we  communicated  this  matter  to  them  in 
October  2009. 

The  Department  does  not  conduct  a  periodic 
access  review  of  the  business  applications  to 
ensure  user  access  privileges  are  appropriate. 
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Municipal  Affairs 


Implications  and  risks  if  recommendation 
not  implemented 

Without  proper  and  effective  user  access 
management  policies  and  procedures,  the 
Department  is  at  risk  of  allowing  unauthorized 
access  to  its  information,  which  could  result  in 
significant  impact  to  the  confidentiality,  availability 
or  integrity  of  the  data  in  its  information  systems. 

IT  management  controls — implemented 
Background 

In  our  October  2004  Report  (page  265),  we 
recommended  that  the  Department  of  Municipal 
Affairs  enhance  controls  over  information 
technology  by: 

implementing  a  risk  assessment  framework  to 
continuously  manage  IT  risks 
enhancing  the  current  security  policies  and 
procedures,  and  ensuring  these  policies  and 
procedures  are  communicated  and  consistently 
applied  in  the  computing  environment 
obtaining  independent  control  assurance  on  its 
outsource  service  provider 


Our  audit  findings 

The  Department  has  obtained  an  independent 
control  assurance  report  (Canadian  Institute 
of  Chartered  Accounts  Handbook,  Section 
5970 — Auditor's  report  on  controls  at  a  service 
organization)  on  its  application  management 
service  provider. 

The  Alberta  government,  under  the  Ministry  of 
Service  Alberta's  leadership,  is  in  the  process  of 
implementing  a  risk  assessment  framework,  as 
well  as  security  policies  and  procedures  across  all 
government  ministries.  The  Ministry  has  decided 
to  follow  the  Ministry  of  Service  Alberta's  lead  by 
adopting  the  above  methodologies  and  directives. 
We  will  follow  up  on  management's  adoption  of 
these  methodologies  as  part  of  a  future  audit  at  the 
Ministry  of  Service  Alberta. 


Disaster  recovery  program — 
satisfactory  progress 
Background 

In  our  October  2009  Report  (page  301 ),  we 
recommended  that  the  Department  improve  its 
management  of  the  disaster  recovery  program  by: 
setting  timelines  for  key  steps  that  must  be 
performed  before  federal  government  funding 
can  be  received 

periodically  assessing  and  adjusting  costs 
and  recovery  estimates  based  on  current 
information 


Our  audit  findings 

The  Department  took  the  following  steps  towards 

implementing  this  recommendation: 

established  processes  for  ensuring  written 
requests  for  federal  disaster  assistance  are 
submitted  on  a  timely  basis — The  Department 
initiates  a  request  for  federal  assistance  once 
a  disaster  has  been  declared  as  being  eligible 
for  assistance  by  a  Government  of  Alberta 
Order  in  Council.  This  request  is  followed  up 
with  an  application.  For  the  new  disasters  in 
2009-2010,  we  observed  that  this  process  was 
followed  and  the  Department  submitted  the 
application  before  the  deadline, 
received  notification  from  the  federal 
government  that  the  late  application  for  the 
2008  disaster,  estimated  at  $3  million  in 
federal  assistance  was  approved — In  2009, 
discussions  were  ongoing  with  the  federal 
government  to  reconsider  its  application, 
established  a  process  for  reviewing  estimated 
costs  to  determine  if  the  accrued  liabilities 
on  the  financial  statement  accurately  reflect 
expected  project  outcomes — For  disasters  that 
have  occurred  in  prior  years,  the  Department 
made  adjustments,  based  on  updated 
forecasts,  to  their  accrued  liability  balance  on 
the  financial  statements.  As  a  result  accrued 
liabilities  were  reduced  by  $16.2  million  and 
recorded  as  a  prior  year  expenditure  refund, 
requested  a  final  federal  government  audit  of 
the  2004  and  2005  disasters 
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Municipal  Affairs 


To  fully  implement  this  recommendation,  the 

Department  still  needs  to: 

ensure  that  it  is  using  the  most  current 
information  when  assessing  its  estimates  of 
recovery 

finalize  its  municipal  disaster  recovery 
guidelines  that  include  timelines  for  project 
completion 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  Department  of  Municipal  Affairs 
for  the  years  ended  March  31 ,  201 0  and  2009, 
were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Seniors  and  Community  Supports 


Summary  of  our  recommendations 


Our  Seniors  Care  and  Programs  chapter  (starting 
on  page  69)  reports  the  results  of  our  follow-up  of  two 
recommendations  on  the  Alberta  Seniors  Benefit 
Program. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  Department  of  Seniors 
and  Community  Supports,  and  the  following 
six  provincial  agencies  for  the  years  ending 
March  31,  2010  and  2009,  were  unqualified: 
Persons  with  Developmental  Disabilities 
Northwest  Region  Community  Board 
Persons  with  Developmental  Disabilities 
Northeast  Region  Community  Board 
Persons  with  Developmental  Disabilities 
Edmonton  Region  Community  Board 
Persons  with  Developmental  Disabilities 
Central  Region  Community  Board 
Persons  with  Developmental  Disabilities 
Calgary  Region  Community  Board 
Persons  with  Developmental  Disabilities  South 
Region  Community  Board 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


The  Ministry  of  Service  Alberta  should  strengthen 
its  control  over  granting  user  access  to  the  Motor 
Vehicles  System — see  below. 

The  Ministry  has  implemented  our  October  2006 
recommendation  related  to  computer  security 
administration — see  below. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Motor  vehicle  registration 
Background 

The  Motor  Vehicles  System  (MOVES)  keeps 
Albertans'  motor  vehicle  information.  Only 
approved  entities  can  access  the  system.  To  obtain 
access,  an  entity  must  have  a  contract  with  Service 
Alberta.  Through  its  data  access  and  contract 
management  unit,  Service  Alberta  verifies  that 
access  requests  for  individuals  are  from  approved 
entities  before  it  grants  the  requests. 

Recommendation:  access  to  motor  vehicle 
registration  data 


RECOMMENDATION 


We  recommend  that  the  Ministry  of  Service 
Alberta  strengthen  its  control  over  granting  user 
access  to  its  motor  vehicles  system. 

Criteria:  the  standards  for  our  audit 

Service  Alberta  should  grant  access  to  MOVES  to 
eligible  individuals  only. 

Our  audit  findings 


Inconsistent  reference  to  designated  contact  list 
for  granting  access  requests 


Service  Alberta's  data  access  and  contract 
management  unit  is  not  always  involved  if  the 
access  request  comes  from  entities  that  have  an 
ongoing  business  relationship  with  Service  Alberta. 
When  granting  access  for  individuals  to  MOVES 
upon  requests  from  these  entities,  management 
does  not  always  refer  to  a  list  of  designated 
contacts  from  the  entities  to  make  sure  that  the 
requests  are  from  valid  sources  within  those 
entities. 


Implications  and  risks  if  recommendation 
not  implemented 

Without  a  clear  and  consistent  process  to  confirm 
that  access  requests  are  from  designated  contacts 
only.  Service  Alberta  may  grant  unauthorized 
access  to  Albertans'  motor  vehicles  information. 

Security  administration — implemented 
Background 

In  our  October  2006  Report  (vol.  2— page  165). 
we  recommended  that  the  Ministry  of  Service 
Alberta  ensure  the  systems  it  administers  comply 
with  the  Government  of  Alberta's  authentication 
standards  for  computer  security.  Service  Alberta 
maintains  and  authenticates  passwords  throughout 
the  government  and  is  the  system  administrator  for 
other  government  entities'  applications  and  data. 

Our  audit  findings 

Strong  password  controls  are  in  place  to  ensure 
sensitive  information  protection 

Service  Alberta  has  developed  a  set  of  information 
security  management  directives  that  addressed 
security  concerns  within  the  government. 
Directive  6 — Access  Control  specifically 
identifies  the  authentication  requirements  and 
implementation  expectations  for  access  to 
government  information  and  information  technology 
systems.  We  tested  the  government's  domain 
password  policy  configuration  and  concluded 
that  Service  Alberta  has  implemented  our 
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recommendation  by  enforcing  strong  password 
controls  to  ensure  adequate  protection  of  sensitive 
information. 


Financial  statements 


Our  auditor's  opinions  on  the  Ministry  financial 
statements  for  the  years  ended  March  31 ,  201 0 
and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


The  Alberta  Gaming  and  Liquor  Commission 
delayed  planned  security  assessments  of  its 
high  risk  systems  and  a  policy  requiring  regular 
independent  security  assessments  has  not  been 
documented — see  below. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Alberta  Gaming  and  Liquor 
Commission 

Information  technology  (IT)  security 
controls — independent  security 
assessment 
Background 

In  a  complex  IT  environment  like  the  one  at 
the  Commission,  many  different  computer 
systems,  applications  and  networking  devices 
are  interconnected.  A  security  weakness  in  one 
of  these  components  can  affect  other  systems, 
causing  an  operational  failure  or  security  exposure 
for  the  Commission.  For  this  reason,  it  is  important 
to  regularly  have  an  independent  security  expert 
review  system  and  network  security  configurations, 
perform  a  network  perimeter  penetration  test  and 
provide  an  expert  opinion  on  the  effectiveness 
of  the  security  controls,  to  make  sure  that  critical 
components  of  the  IT  environment  are  not  exposed 
to  unnecessary  risks.  It  is  common  industry 
practice  to  use  an  independent  vendor  to  perform 
the  assessment,  to  provide  an  independent  opinion 
on  the  strength  of  IT  security  controls. 


Our  audit  findings 


Key  Points 


Planned  security  assessments  were  delayed 

Policy  for  regular  independent  security  assessments 

not  documented 


During  each  of  our  reviews  of  IT  general  controls  in 
2008  and  2009,  management  stated  that  it  intended 
to  obtain  an  independent  security  assessment  on 
key  systems  in  its  IT  environment,  before  the  end  of 
those  fiscal  years.  When  we  returned  in  fiscal  2010 
to  conduct  our  annual  review,  we  found  that  the 
Commission  had  not  engaged  anyone  to  perform 
the  planned  security  assessments  nor  had  they  a 
documented  policy  for  this.  Management  told  us 
that  the  reviews  were  not  performed  because  of 
budget  and  staff  constraints. 

After  we  completed  our  current  review  and 
advised  management  of  this  finding,  they  hired  an 
independent  contractor  to  perform  a  penetration 
test/vulnerability  assessment  on  a  number  of  the 
Commission's  websites.  At  our  interim  audit  exit 
conference  with  management  on  April  12,  2010, 
management  provided  us  with  evidence  that  the 
network  vulnerability  assessment  was  completed, 
but  the  final  report  was  not  yet  available  for  our 
review.  On  May  12,  2010,  we  received  a  copy  of 
the  final  report,  which  detailed  network  and  website 
security  testing  the  contractor  had  performed. 

Although  the  Commission  did  eventually 
perform  the  network  vulnerability  testing,  it  still 
does  not  have  a  documented  policy  requiring  a 
regular,  independent  security  assessment  and 
identifying  the  scope  of  the  independent  security 
assessments. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry,  Department,  Victims  of  Crime 
Fund,  Alberta  Gaming  and  Liquor  Commission 
and  Alberta  Lottery  Fund  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


The  Department  has  made  satisfactory  progress 
implementing  our  recommendations  to: 

review  its  revenue  systems  and  put  processes 
in  place  to  allow  significant  revenues  currently 
recorded  when  cash  is  received  to  be  recorded 
when  revenue  is  due  to  the  Crown — see  below 
improve  IT  policies  and  processes  in  its 
information  technology  control  environment — 
see  page  194 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Department  of  Sustainable 
Resource  Development 

Controls  over  revenue — satisfactory 

progress 

Background 

In  our  October  2008  Report  (no.  39— page  355), 
we  recommended  the  Department  review  its 
revenue  systems  and  put  processes  in  place  to 
allow  significant  revenues  that  were  recorded  when 
cash  was  received,  to  be  recorded  when  revenue 
was  due  to  the  Crown. 

In  the  accrual  basis  of  accounting,  revenues  and 
expenses  are  reflected  in  the  determination  of 
results  for  the  period  in  which  they  are  considered 
to  have  been  earned  and  incurred,  respectively, 
whether  or  not  such  transactions  have  been  settled 
finally  by  the  receipt  or  payment  of  cash  or  its 
equivalent. 

In  the  cash  basis  of  accounting,  revenue  is 
recorded  when  cash  is  received. 

The  Department  provides  companies  with  rights  to 
use  land  known  as  dispositions.  There  are  different 
fees  associated  with  each  type  of  disposition. 


In  2008  and  2009  the  Department  used  the  cash 
basis  of  accounting  for: 

sand  and  gravel  royalties 

land  disturbance  fees  for  oil  sands,  coal  mines. 

in-situ  and  quarries 

timber  damage  assessment  fees 

We  also  reported  in  2008  that  the  Department 
was  at  least  one  year  behind  in  billing  companies 
for  land  disturbance  fees.  In  the  case  of  the 
largest  mine,  the  Department  needed  to  review 
documentation  with  the  company  back  to  1990  and 
was  unable  to  provide  an  estimate  of  how  much 
money  was  owed  by  the  company.  We  indicated 
that,  as  a  result  of  the  Department  being  so  far 
behind  in  billing  the  companies,  there  was  a  risk 
the  Department  would  not  be  able  to  fully  collect 
the  revenue  earned  because  the  limitation  period 
for  enforcement  as  per  the  Limitations  Act  may 
have  expired. 


Criteria:  the  standards  for  our  audit 

Controls  over  revenue  should  ensure  revenue  is 
completely  and  accurately  recorded. 


Our  audit  findings 


Key  Points 


•  Change  to  accrual  basis  from  cash  basis  resulted  in 
$24.9  million  being  added  to  net  assets 

•  Department  relies  on  self-reporting  by  companies  to 
estimate  revenue  under  the  accrual  basis 

•  Department  needs  a  process  to  confirm  amounts 
reported  by  companies  are  accurate 

The  Department  changed  its  accounting  policy 
for  revenue  recognition  for  the  2010  financial 
statements  to  the  accrual  basis  for  all  revenues 
that  were  previously  reported  on  a  cash  basis. 
An  adjustment  of  $24.9  million  was  added  to 
the  2010  net  assets  before  operating  results. 
The  Department  prepared  the  estimate  of  the 
revenue  owing  on  an  accrual  basis  by: 
asking  a  sample  of  companies  to  report 
the  amount  of  sand  and  gravel  fees  owing 
and  then  using  the  results  to  estimate 
the  results  for  the  total  population  of 
companies  owing  fees,  and 
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asking  all  of  the  companies  having  the 
same  type  of  disposition  to  report  the 
amounts  owing  for  land  disturbance  fees 
and  timber  damage  assessment  fees. 
The  Department  has  not  yet  implemented 
processes  to  check  whether  the  amounts 
reported  by  the  companies  are  complete  and 
accurate. 

To  fully  implement  this  recommendation,  the 
Department  needs  to  put  processes  in  place  to 
validate  the  amounts  reported. 

IT  Control  Framework — satisfactory 

progress 

Background 

In  our  October  2009  Report  (page  323),  we 
recommended  the  Department  improve  IT  policies 
and  processes  in  its  information  technology  control 
environment. 


Criteria:  the  standards  for  our  audit 

The  Department  should  have  documented  policies 
and  processes  for  the  IT  general  computer 
control  environment,  to  help  ensure  that  security 
and  continuity  of  critical  systems  and  data  are 
maintained. 


Our  audit  findings 


Key  Points 


•  Department  has  implemented  controls  over  most 
of  the  ITareas  including  documentation  of  access 
policies 

•  The  Department  needs  to  maintain  evidence 
of  access  approvals  and  ensure  all  terminated 
employees  have  application  access  removed 

The  Department  has: 

implemented  an  information  technology 
security  policy 

improved  its  IT  security  awareness  training 
improved  its  business  resumption  capability — 
the  Department  updated  the  disaster  recovery 
plan  and  the  business  continuity  plan  in  2009 
and  tested  the  recovery  procedures  for  critical 
systems  and  servers 
improved  their  data  centre  environmental 
controls — a  relative  humidity  sensor  was 
installed  and  connected  to  the  protection 


services  alarm  system.  In  addition,  the 
card-access  control  system  was  installed  on 
both  the  front  and  rear  data  centre  doors. 

The  Department  also  established  documented  user 
access  policies.  However,  to  fully  implement  this 
recommendation  the  Department  needs  to  maintain 
evidence  of  access  approvals  and  implement  a 
periodic  user  access  review  process  to  ensure 
that  application  access  has  been  removed  for  all 
terminated  employees. 


Financial  statements 


Our  auditor's  opinions  on  the  financial 
statements  of  the  Ministry,  the  Department 
and  the  Environmental  Protection  and 
Enhancement  Fund  for  the  years  ending 
March  31,  2010  and  2009,  were  unqualified. 

Our  auditor's  opinions  on  the  financial  statements 
of  the  Natural  Resources  Conservation  Board  for 
the  years  ending  March  31,  2010  and  2009,  were 
unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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For  outstanding  recommendations  previously 
made  to  the  organizations  that  form  the  Ministry, 
please  see  our  outstanding  recommendations  list 
on  page  203. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry,  Department  and  the  Alberta  Sport. 
Recreation,  Parks  and  Wildlife  Foundation  for  the 
years  ending  March  31,  2010  and  2009,  were 
unqualified. 

Our  auditor's  opinion  on  the  financial  statements 
for  the  year  ended  March  31 ,  201 0  for 
Travel  Alberta  was  unqualified.  This  was  the 
Corporation's  first  year  of  operations. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Summary  of  our  recommendations 


The  Department  should  improve  its  processes  to 
value  donated  assets  in  its  financial  statements — 
see  below. 

The  Department  has  implemented  our  November 
2006  recommendation  to  implement  a  risk 
based  system  to  ensure  compliance  with  grant 
conditions — see  page  198. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 


Findings  and  recommendations 


Donation  of  Capital  Assets 
Background 

The  Department  entered  into  an  agreement, 
effective  April  1 ,  2008,  with  Suncor  Energy  Inc. 
whereby  Suncor  agreed  to  build  an  interchange 
over  Highway  63  and  transfer  it  to  the  Minister  of 
Transportation  to  own  and  operate. 


Recommendation:  Improve  processes  to 
value  donated  assets  in  the  Department 
financial  statements 


RECOMMENDATION 


We  recommend  that  the  Department  of 

Transportation: 

enter  into  agreements  with  donors  that: 
provide  the  Department  of 
Transportation  with  assurance  on  the 
fair  value  of  the  donated  assets 
specify  whether  donation  receipts  will 
be  issued 

document  its  support  for  the  valuation 
reported  in  its  financial  statements, 
including  the  procedures  performed, 
assumptions  made  and  source  documents 
reviewed 


Criteria:  the  standards  for  our  audit  

The  Department's  agreements  with  donors  should 
provide  it  with  assurance  on  the  fair  value  of 
the  donated  assets,  and  the  Department  should 
document  its  processes  to  validate  that  information. 

Our  audit  findings 

The  Department  recorded  a  capital  asset  and 
donation  revenue  in  the  amount  of  $56.7  million 
in  its  financial  statements  for  the  year  ended 
March  31 .  2010.  The  Department  valued  the  asset 
and  corresponding  donation  based  on  an  email 
from  an  engineer  under  contract  to  Suncor. 

The  Department  told  us  that  they  considered  the 

valuation  reasonable  because: 

the  Department's  professional  engineer 
responsible  for  managing  the  terms  of  the 
agreement  with  the  donor  advised  Finance  that 
the  valuation  amount  provided  by  the  donor 
was  reasonable 

the  valuation  of  $56.7  million  was  close  to  the 
$55  million  that  was  communicated  by  the 
donor  when  the  agreement  was  signed  and 
publicly  announced 

The  agreement  between  the  Department  and 
Suncor  Energy  Inc.,  did  not  provide  the  Department 
with  access  to  Suncor's  financial  records,  directly 
or  through  an  independent  person,  to  verify  the  fair 
value.  The  Department  did  not  specify  what  tax  or 
other  benefit,  the  donor  was  eligible  to  claim  and 
whether  the  Department  would  provide  tax  receipts 
or  other  confirmation  on  the  donation. 

The  Department  did  not  require  the  donor  to 
provide  access  to  records  or  verification  by  a 
person  independent  to  the  project,  to  enable  it  to 
accurately  value  the  asset  in  its  financial  records. 
The  Department  did  not  document  the  procedures 
it  followed  to  conclude  that  the  valuation  provided 
by  the  donor  was  accurate. 
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Implications  and  risks  if  recommendation 
not  implemented 

There  is  a  risk  that  the  value  recognized  for 
the  donated  assets  may  not  be  accurate  and 
appropriate. 

Compliance  with  grant  conditions — 

implemented 

Background 

In  our  November  2006  Report  (no.  5 — page  23),  we 
reviewed  the  Street  Improvement  Program  (SIP) 
and  Rural  Transportation  Grant  (RTG)  program 
at  the  (then)  Department  of  Infrastructure  and 
Transportation. 

We  concluded  that  the  Department  did  not 
have  adequate  systems  to  monitor  compliance 
with  these  grants  and  recommended  that  they 
implement  a  risk-based  system  to  ensure  recipients 
comply  with  the  terms  and  conditions  of  the  grants.1 

In  this  report,  we  follow  up  the  recommendation  to 
develop  a  risk-based  system  to  ensure  compliance 
with  the  terms  and  conditions  of  grants. 


Our  audit  findings 

The  Department  has  integrated  10  risk  factors  into 
the  processing  of  grant  documentation.  The  goal 
is  to  mitigate  risk  before  funds  are  released  by 
improving  the  approval  processes. 

The  Department  has  developed  and  activated  grant 
management  software.  Applicants  for  municipal 
grants  can  now  submit  their  grant  application 
information  and  updates  over  the  internet.  This 
improves  the  consistency  of  information  in  the  grant 
application  and  reporting  process  and  provides 
access  to  up-to-date  grant  and  project  information. 

The  files  we  tested  showed  that  processes  are 
working  as  designed  and  grant  money  is  being 
distributed  to  eligible  recipients. 


The  Department  places  primary  assurance  on 
the  certification  provided  by  municipal  or  county 
officials  (e.g.,  Senior  Financial  Officer  or  Chief 
Administrative  Officer)  and  submitted  on  their 
annual  statement  of  funding  and  expenditures.  The 
provided  certification  notes  compliance  with  the 
terms  of  the  grant  program  agreement  between  the 
Department  and  the  municipality  or  county. 

Also,  the  Department  monitors  the  risk  of  projects 
not  being  completed  as  required  by  using  MGMA2 
to  coordinate  the  observation  of  recipient  activity. 
This  includes  examining  various  SIP  and  RTG 
grant-supported  projects  while  department  staff 
is  in  a  municipality  or  county  examining  larger 
projects.  MGMA  is  updated  to  indicate  the  project 
has  been  observed;  updates  to  MGMA  may 
include  photos,  inspector's  notes,  media  articles, 
engineer's  certificate  of  completion.  A  new  status 
entry  is  now  in  MGMA  to  record  that  the  project 
has  been  observed.  Overtime,  accumulated 
information  can  be  analyzed  for  trends,  to  refine  a 
risk  focus. 


Financial  statements 


Our  auditor's  opinions  on  the  financial  statements 
of  the  Ministry  and  Department,  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 


1      Our  November  2006  Report — page  24.  2     A  Department-supported  electronic  information  system. 
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Summary  of  our  recommendations 


The  government  implemented  our  recommendation 
by  including  universities,  public  colleges,  technical 
institutes,  regional  health  authorities  and  school 
boards  in  the  province's  consolidated  financial 
statements — see  below. 

For  outstanding  recommendations  previously  made 
to  the  organizations  that  form  the  Ministry,  please 
see  our  outstanding  recommendations  list  on 
page  203. 

Corporate  government  accounting 
policies — implemented 

Background 

In  our  October  2003  Report  (pages  40-41 ),  we 
repeated  our  recommendation  that  the  Department 
of  Finance  change  the  corporate  accounting 
policies  to  improve  accountability.  In  particular, 
we  reported  that  universities,  public  colleges, 
technical  institutes,  regional  health  authorities  and 
school  boards  should  be  included  in  the  province's 
consolidated  financial  statements.  The  Ministry  of 
Treasury  Board  is  now  responsible  for  corporate 
accounting  policies. 


Our  audit  findings 

The  government  included  these  entities  in  the 
Province's  March  31,  2010  and  2009  (restated) 
consolidated  financial  statements  on  a  line-by-line 
basis.  We  consider  this  recommendation  to  be 
implemented. 

Our  April  2010  Report  (page  145),  and  the 
province's  2009-2010  Annual  Report,  provide 
further  discussion  of  the  line-by-line  consolidation 
of  these  entities. 


Financial  statements 


Our  auditor's  opinions  on  the  Ministry  of  Treasury 
Board  financial  statements  for  the  years  ended 
March  31,  2010  and  2009,  were  unqualified. 


Performance  measures 


The  Ministry  engaged  us  to  review  selected 
performance  measures  in  the  Ministry's 
2009-2010  Annual  Report.  We  issued  an 
unqualified  review  engagement  report  on  these 
measures. 
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Past  Recommendations 
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Outstanding  Recommendations 


This  is  a  complete  list  of  past  recommendations  that  are  not  yet  implemented. 

We  currently  have  278  outstanding  recommendations — 135  are  numbered  and  143  are  unnumbered.  We 
have  identified  the  recommendations  that  have  been  repeated  one  or  more  times. 

Of  the  numbered  recommendations,  43  are  more  than  three  years  old.  We  use  three  years  as  a 
performance  measure  for  when  we  expect  management  to  implement  our  numbered  recommendations. 
We  recognize  some  recommendations  will  take  longer  to  fully  implement  than  others,  but  we  encourage 
full  implementation  within  three  years.  This  list  also  contains  recommendations  that  have  been  the 
subject  of  interim  audit  work,  which  concluded  that  implementation  had  not  yet  been  achieved — and  are, 
therefore,  still  outstanding. 

This  list  is  organized  alphabetically  by  ministry.  Each  section  includes  all  outstanding  recommendations 
for  the  ministry  and  the  entities  that  report  to  it.  We  have  separated  each  section  based  on  whether  or 
not  management  has  asserted  the  recommendations  are  implemented — the  recommendations  asserted 
as  implemented  appear  last.  As  soon  as  possible,  we  will  conduct  a  follow-up  audit  to  confirm  those 
assertions. 

The  reports  that  contain  these  recommendations  are  on  our  web  site  at  www.oag.ab.ca. 
Aboriginal  Relations 

There  are  no  outstanding  recommendations  for  this  entity. 

Advanced  Education  and  Technology 

Department 

These  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Non-credit  programs:  Monitoring — April  2008,  #2,  p.  23 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology  implement  effective  processes  to: 
monitor  whether  Institutions  report  information  consistent  with  its  expectations. 

investigate  and  resolve  cases  where  Institutions'  program  delivery  is  inconsistent  with  its  standards  and 
expectations. 

IT  control  policies  and  processes — April  2008,  #8,  p.  195 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology  (through  the  Campus  Alberta  Strategic 
Directions  Committee)  give  guidance  to  public  post-secondary  Institutions  on  using  an  IT  control  framework  to  develop 
control  processes  that  are  well-designed,  efficient,  and  effective. 

Cross-Institution  recommendations — Enterprise  risk  management — April  2010,  #17,  p.  158 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology  (through  the  Campus  Alberta  Strategic 
Directions  Committee)  work  with  post-secondary  institutions  to  identify  best  practices  and  develop  guidance  for  them  to 
implement  effective  enterprise  risk  management  systems. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Non-credit  programs:  Standards  and  expectations — April  2008,  #1,  p.  22 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology: 

clarify  its  standards  and  expectations  for  non-credit  programs  and  clearly  communicate  them  to  public  post- 
secondary  Institutions. 

work  with  Institutions  to  improve  the  consistency  of  information  that  Institutions  report  to  the  Department. 

Monitoring  vocational  programs  offered  by  private  institutions — April  2008,  p.  42 

We  recommend  that  the  Department  of  Advanced  Education  and  Technology: 

develop  a  risk-based  strategic  audit  plan  of  new  and  follow-up  audits,  including  timelines  and  resources  to  audit 
private  institutions. 

issue  Orders  and  information  on  deficiencies  within  a  reasonable  time  after  completing  the  audit. 


Report  of  the  Auditor  General  of  Alberta  203 


October  2010 


Outstanding  Recommendations 


Alberta  College  of  Art  and  Design 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
IT  internal  controls— October  2007,  vol.  2,  p.  21 

We  recommend  that  the  Alberta  College  of  Art  and  Design  strengthen  internal  controls  for  computer  system  access  and 
server  backups.  We  further  recommend  that  the  College  develop  a  computer  use  policy. 

Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  Alberta  College  of  Art  and  Design  (ACAD)  define  its  goals  for  the  use,  and  preservation  of  the 
economic  value  of  endowment  assets  (inflation  proofing). 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Periodic  financial  reporting — April  2010,  p.  160 
(repeated  once  since  April  2008) 

We  again  recommend  that  Alberta  College  of  Art  and  Design  improve  its  processes  and  controls  to  increase  efficiency, 
completeness  and  accuracy  of  financial  reporting. 

Bookstore  operations — April  2010,  p.  181 

We  recommend  that  Alberta  College  of  Art  and  Design  maintain  an  effective  system  of  internal  controls  to  enhance  the 
integrity  of  its  bookstore  operations. 

Journal  entries — April  2010,  p.  183 

We  recommend  that  Alberta  College  of  Art  and  Design: 

ensure  journal  entries  entered  into  the  financial  system  are  independently  reviewed  and  approved 
develop  a  policy  that  defines  the  process  for  recording  and  approving  journal  entries  and  the  documentation 
required  to  support  the  entry 

Grande  Prairie  Regional  College 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  Grande  Prairie  Regional  College  define  its  goals  for  the  use,  and  preservation  of  the  economic 
value  of  endowment  assets  (inflation  proofing). 

Grant  MacEwan  University 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Construction  management — November  2006,  #9,  p.  35 

We  recommend  Grant  MacEwan  University  ensure  that  signed  contracts  (interim  or  final)  for  construction  projects  are  in 
place  before  projects  start. 

Capital  assets— April  2009,  p.  85 

We  recommend  that  Grant  MacEwan  University  improve  its  capital  asset  processes  by: 

documenting  its  assessment  on  the  appropriate  accounting  treatment  for  costs  related  to  construction  and 
renovation  projects. 

coding  and  recording  transactions  accurately  the  first  time. 

Systems  over  costs  for  internal  working  sessions  and  hosting  guests — April  2010,  p.  165 

We  recommend  that  Grant  MacEwan  University: 

implement  policies  and  guidance  on  appropriate  expenses  for  events  related  to  internal  working  sessions  and  for 
hosting  guests 

follow  its  policies  and  processes  for  employee  expense  claims  and  corporate  credit  cards 
Preserve  endowment  assets — April  2010,  p.  170 

We  recommend  that  Grant  MacEwan  University  improve  its  endowment  and  related  investment  policies  and  procedures 

by: 

establishing  and  regularly  reviewing  a  spending  policy  for  endowments 

improving  its  processes  to  review  its  endowment  related  investments 

improving  its  reporting  of  investments  and  endowments  to  the  audit  and  finance  committee 

Improve  and  implement  University  policies — April  2010,  #18,  p.  174 

We  recommend  that  Grant  MacEwan  University  improve  its  control  environment  by  implementing  or  improving: 
a  code  of  conduct  and  ethics  policy  and  a  process  for  staff  to  acknowledge  they  will  adhere  to  its  policies 
a  process  for  staff  to  annually  disclose  potential  conflicts  of  interest  in  writing  so  the  University  can  manage  them 
proactively 

a  safe  disclosure  policy  and  procedure  to  allow  staff  to  report  incidents  of  suspected  or  actual  frauds  or 
irregularities 

a  responsibility  statement  in  its  annual  report  to  acknowledge  management's  role  in  maintaining  an  effective 
control  environment 
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Adhere  to  signing  authority  limits— April  2010.  p.  176 

We  recommend  that  Grant  MacEwan  University  improve  its  processes  to  ensure  appropriate  staff  with  proper  signing 
authority  approve  contracts  and  purchases. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Computer  control  environment — October  2005,  p.  104 

We  recommend  that  Grant  MacEwan  University  resolve  identified  deficiencies  and  strengthen  the  overall  control 
framework  in  the  Information  Technology  (IT)  environment. 

Donations— November  2006,  #10,  p.  37 

We  recommend  that  Grant  MacEwan  University  establish  a  policy  clearly  indicating  it  will  not  solicit  or  accept  donations 
with  participating  vendors  during  a  tendering  process. 

Bookstore  operations — April  2008,  p.  186 

We  recommend  that  Grant  MacEwan  University  improve  its  systems  to: 
manage  and  report  inventories 
monitor  and  account  for  the  use  of  petty  cash 

Parking  services  fees — April  2009,  p.  82 

We  recommend  that  Grant  MacEwan  University  improve  its  systems  to  control,  collect,  and  account  for  parking  services 
fees. 

Periodic  financial  reporting — April  2010,  p.  160 

We  recommend  that  Grant  MacEwan  University  improve  its  financial  reporting  to  the  Board's  Audit  and  Finance 
Committee  and  senior  management  by  providing — at  least  quarterly — complete  financial  statements  of  financial  position 
and  actual  year-to-date  operating  results. 

Lakeland  College 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Improve  payroll  controls — April  2009,  p.  91 

We  recommend  that  Lakeland  College: 

adequately  segregate  staff  access  to  the  PeopleSoft  payroll  system  to  ensure  only  valid  changes  are  made, 
review  change  reports  generated  from  the  payroll  system  for  appropriateness. 

prepare  monthly  reconciliations  of  the  payroll  system  to  the  general  ledger  and  promptly  review  the  reconciliations. 
Lethbridge  College 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  follow-up  audit: 
Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  Lethbridge  College  define  its  goals  for  the  use.  and  preservation  of  the  economic  value  of 
endowment  assets  (inflation  proofing). 

Medicine  Hat  College 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Periodic  reporting  to  the  Board — April  2010,  p.  160 
(repeated  once  since  April  2009) 

We  again  recommend  that  Medicine  Hat  College  improve  its  financial  reporting  to  the  Board  by  including — at  least 
quarterly — complete  statements  of  the  College's  operations,  financial  position  and  changes  in  net  assets. 

Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  Medicine  Hat  College  define  its  goals  for  the  use,  and  preservation  of  the  economic  value  of 
endowment  assets  (inflation  proofing). 

Mount  Royal  University 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  Mount  Royal  University  define  its  goals  for  the  use,  and  preservation  of  the  economic  value  of 
endowment  assets  (inflation  proofing). 

NorQuest  College 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Procurement  cards — Compliance  with  procedure  card  policy — April  2009,  p.  89 

We  recommend  that  NorQuest  College  ensure  that  its  procurement  card  statements  are  supported  by  adequate 
documentation  and  are  approved  by  an  authorized  individual  before  making  payments. 
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Bookstore  services — Segregation  of  duties  in  the  bookstore — April  2010,  p.  186 

We  recommend  that  NorQuest  College  implement  proper  segregation  of  duties  within  its  bookstore  services. 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Procurement  cards — Discrepancy  log — April  2009,  p.  88 

We  recommend  that  NorQuest  College  improve  controls  to  ensure  that  procurement  cardholders  comply  with  its 
procurement  card  policy. 

Northern  Alberta  Institute  of  Technology  (NAIT) 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Purchasing  guidelines — April  2010,  p.  187 

We  recommend  that  NAIT  implement  processes  to  ensure: 

guidance  exists  on  the  steps  required  to  evaluate  potential  vendors  and  the  documents  required  to  evidence  that  a 
review  occurred 

compliance  with  its  purchasing  guidelines 
all  purchasing  decisions  are  properly  justified 

Olds  College 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Preserving  endowment  assets — April  2009,  p.  78 

We  recommend  that  the  Olds  College  define  its  goals  for  the  use,  and  preservation  of  the  economic  value  of 
endowment  assets  (inflation  proofing). 

Improve  bookstore  sales  and  inventory  control — April  2010,  p.  184 

We  recommend  that  Olds  College  improve  internal  controls  in  the  bookstore  relating  to  sales  and  inventories. 

Portage  College 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Periodic  financial  reporting — April  2010,  p.  160 

We  recommend  that  Portage  College  improve  its  financial  reporting  to  the  Board  and  senior  management  by 
providing — at  least  quarterly — complete  financial  statements  of  financial  position  and  actual  year-to-date  operating 
results. 

Red  Deer  College 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Systems  over  costs  for  internal  working  sessions  and  hosting  guests — April  2010,  p.  167 

We  recommend  that  Red  Deer  College: 

implement  policies  and  guidance  on  appropriate  expenses  for  internal  working  sessions  and  hosting  guests 
strengthen  its  processes  to  ensure  staff  follows  its  policies  and  processes  for  employee  expense  claims  and 
corporate  credit  cards 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Control  over  payroll  processes — April  2010,  p.  185 

We  recommend  that  Red  Deer  College  improve  its  controls  over  payroll. 

Southern  Alberta  Institute  of  Technology  (SAIT) 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Preserve  endowment  assets — April  2010,  p.  170 

We  recommend  that  SAIT  clarify  its  expectations  for  preserving  the  economic  value  of  its  endowment  assets  and 
document  an  endowment  policy  for  managing  endowment  earnings. 

University  of  Alberta 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 

Systems  over  costs  for  internal  working  sessions  and  hosting  guests — April  2010,  p.  167 

We  recommend  that  the  University  of  Alberta  follow  its  policies  and  processes  for  employee  expense  claims  and 
corporate  credit  cards. 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  follow-up  audit: 
Strategic  planning  for  Research — October  2004,  p.  252 

We  recommend  that  the  University  of  Alberta  improve  the  integration  of  research  into  its  strategic  business  plan  by 
ensuring  that: 

key  performance  measures  and  targets  are  identified  with  each  strategy  indicated  in  the  plan 

the  costs  of  achieving  these  targets  are  considered  when  making  budget  allocation  decisions 

the  faculty  and  other  research  administrative  unit  plans  set  out  in  clear,  consistent  terms  the  extent  to  which 

faculties  and  units  are  planning  to  contribute  to  the  achievement  of  these  targets 
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University  of  Calgary 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Planning  for  research  capacity— October  2004.  #26.  p.  255 

We  recommend  that  the  University  of  Calgary  improve  human  resource  and  space  plans  and  develop  a  system  to 
quantify  and  budget  for  the  indirect  costs  of  research. 

Research  roles  and  responsibilities— October  2005,  #18.  p.  90 

We  recommend  that  the  University  of  Calgary  define  research  management  roles  and  responsibilities. 

Research  policies — October  2005.  p.  91 

We  recommend  that  the  University  of  Calgary: 

ensure  all  research  policies  are  current  and  comprehensive, 
monitor  compliance  with  ethics  and  intellectual  property  policies. 

Research  project  management — October  2005.  p.  93 

We  recommend  that  the  University  of  Calgary  and  its  faculties: 

ensure  researchers  comply  with  sponsors'  terms  and  conditions,  and 

use  project  management  tools  for  large,  complex  projects  to  ensure  research  is  cost-effective 
IT  governance  and  control  framework — October  2007,  #18,  vol.  2,  p.  10 

We  recommend  that  the  University  of  Calgary  implement  an  Information  Technology  governance  and  control  framework 
Improving  the  control  environment — October  2008,  #21,  p.  213 

We  recommend  that  the  University  of  Calgary  improve  the  effectiveness  of  its  control  environment  by: 

assessing  whether  the  current  mix  of  centralized  and  decentralized  controls  is  appropriate  to  meet  its  business 
needs. 

defining  clear  roles,  responsibilities  and  accountabilities  for  control  systems'  design,  implementation,  and 
monitoring. 

documenting  its  decentralized  control  environment  and  implementing  training  programs  to  ensure  those 
responsible  for  business  processes  have  adequate  knowledge  to  perform  their  duties, 
monitoring  decentralized  controls  to  ensure  processes  operate  effectively. 

Controls  over  payroll — October  2009,  p.  153 
(repeated  twice  since  October  2007) 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over  payroll  functions. 

PeopleSoft  security— October  2009,  #19,  p.  155 
(repeated  three  times  since  October  2006) 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in  its  PeopleSoft  system  by: 
finalizing  and  implementing  the  security  policy  and  security  design  document 

ensuring  that  user  access  privileges  are  consistent  with  the  user's  business  requirements  and  the  security  policy 

Systems  over  costs  for  internal  working  sessions  and  hosting  guests — April  2010.  p.  166 

We  recommend  that  the  University  of  Calgary: 

implement  policies  and  guidance  on  appropriate  expenses  for  internal  working  sessions  and  hosting  guests 
follow  its  policies  and  processes  for  employee  expense  claims  and  corporate  credit  cards 

University  of  Lethbridge 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
IT  internal  control  framework— October  2007,  #21,  vol.  2,  p.  23 

We  recommend  that  the  University  of  Lethbridge  implement  an  information  technology  control  framework. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Financial  research  roles  and  responsibilities — October  2008,  p.  225 

We  recommend  that  the  University  of  Lethbridge  clearly  define  and  communicate  the  financial  research-management 
roles  and  responsibilities  of  Research  Services.  Financial  Services,  and  Deans. 

Clear  and  complete  research  policies — October  2008,  p.  227 

We  recommend  that  the  University  of  Lethbridge  improve  systems  to  ensure  that: 
financial  research  policies  are  current  and  comprehensive, 
proper  documentation  is  maintained  for  approving  research  accounts. 

researchers,  research  administrators  and  Financial  Services  staff  are  aware  of  changes  to  financial  policies  and 
are  properly  trained  to  comply  with  the  policies. 
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Processes  for  investing  in  research  projects — April  2009,  #1,  p.  26 

We  recommend  that  the  University  of  Lethbridge: 

strengthen  processes  for  assessing  risks  and  benefits  relating  to  prospective  business  relationships. 

strengthen  processes  to  oversee  and  monitor  financial  and  other  risks  throughout  the  life  of  business  relationships. 

periodically  report  to  the  Board  of  Governors  key  information  on  financial  and  other  risks  in  research  management. 


Agriculture  and  Rural  Development 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Evaluating  program  success:  grant  management — October  2005,  #20,  p.  113 
(repeated  once  since  October  2001) 

We  again  recommend  that  the  Department  of  Agriculture,  Food  and  Rural  Development  evaluate  the  performance  of  its 
grant  programs  in  meeting  Ministry  goals.  This  includes  evaluating  the  grant  programs  themselves,  as  well  as  individual 
grants  under  the  programs. 

Food  Safety:  Alberta  Agriculture's  surveillance  program — October  2006,  #9,  vol.  1,  p.  88 

We  recommend  that  the  Department  of  Agriculture,  Food  and  Rural  Development  improve  the  administration  of  its  food 
safety  surveillance  program.  This  includes: 

Documenting  its  prioritization  processes; 

Involving  partners  in  the  prioritization  of  projects; 

Ensuring  conditions  for  the  approval  of  specific  projects  are  met  and  final  approval  recorded; 

Capturing  costs  for  large  projects; 

Monitoring  the  impact  of  surveillance  projects; 

Considering  whether  regulatory  support  for  the  program  is  required. 

Food  Safety:  Alberta  Agriculture's  food  safety  information  systems — October  2006,  vol.  1,  p.  94 

We  recommend  that  the  Department  of  Agriculture,  Food  and  Rural  Development  improve  its  food  safety  information 
systems.  This  includes: 

Improving  security  and  access  controls; 

Ensuring  complete,  timely,  and  consistent  data  collection;  and 

Ensuring  data  gets  onto  the  computerized  data  base. 

Monitoring  IT  security  policy — October  2006,  vol.  2,  p.  40 

We  recommend  that  the  Department  of  Agriculture,  Food  and  Rural  Development: 

document,  approve,  and  communicate  to  employees  and  contractors  its  information  technology  security  policies 
and  standards. 

implement  a  process  to  monitor  compliance  by  employees  and  contractors  with  information  technology  security 
policies  and  standards. 

Reporting  and  dealing  with  allegations  of  employee  misconduct — November  2006,  #12,  p.  46 

We  recommend  that  the  Department  of  Agriculture,  Food  and  Rural  Development  improve  its  systems  for  reporting  and 
dealing  with  allegations  of  employee  misconduct. 

The  Departments  of  Agriculture  and  Rural  Development  and  Health  and  Wellness 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Food  Safety:  Integrated  food  safety  planning  and  activities — October  2009,  #11  ,  p.  107 
(repeated  once  since  October  2006) 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development,  in 
cooperation  with  Alberta  Health  Services  and  federal  regulators,  improve  planning  and  coordination  of  food  safety 
activities  and  initiatives.  This  includes: 

improving  day-to-day  coordination  of  provincial  food  safety  activities 

improving  cooperation  and  working  relationships  among  provincial  and  federal  partners  such  as  the  First  Nations 
and  Inuit  Health  Branch  and  the  Canadian  Food  Inspection  Agency 

Food  Safety:  Eliminating  gaps  in  food  safety  inspection  coverage — October  2009,  #12,  p.  111 
(repeated  once  since  October  2006) 

We  again  recommend  that  Alberta  Health  Services  and  the  Departments  of  Health  and  Wellness  and  Agriculture  and 
Rural  Development,  working  with  federal  regulators,  eliminate  the  existing  gaps  in  food  safety  coverage  in  Alberta. 
Gaps  include: 

mobile  butchers 

consistently  administering  the  Meat  Facility  Standard 
coordinating  inspections  in  the  "non-federally  registered"  sector 
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Food  Safety:  Accountability— October  2009.  #13.  p.  114 
(repeated  once  since  October  2006) 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development  improve 
reporting  on  food  safety  in  Alberta. 

Agriculture  Financial  Services  Corporation 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Loan  loss  processes — October  2007.  vol.  2.  p.  32 

We  recommend  that  the  Agriculture  Financial  Services  Corporation  improve  its  loan  loss  methodology  and  processes 
by: 

developing  guidelines  to  assess  which  loans  are  impaired 
incorporating  historical  loan  loss  experience 
periodically  updating  data  used  in  the  methodology 

IT  risk  assessment  and  control  framework — October  2009,  p.  168 

We  recommend  that  Agriculture  Financial  Services  Corporation: 

complete  an  Information  Technology  (IT)  risk  assessment  to  identify  and  rank  the  risks  within  its  computing 

environment,  linking  to  business  objectives:  and 

design  and  implement  IT  controls  to  mitigate  the  risks  it  identifies. 

Children  and  Youth  Services 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Accreditation  systems  for  service  providers — October  2007,  #7,  vol.  1,  p.  82 

We  recommend  that  the  Department  of  Children's  Services  evaluate  the  cost-effectiveness  of  accreditation  systems 
and  the  assurance  they  provide. 

Department  compliance  monitoring — October  2007,  #8,  vol.  1,  p.  83 

We  recommend  that  the  Department  of  Children's  Services  improve  compliance  monitoring  processes  by: 
incorporating  risk-based  testing  in  case-file  reviews. 

providing  feedback  to  caseworkers  on  monitoring  results  of  case-file  reviews, 
obtaining  and  analyzing  information  on  Authorities'  monitoring  of  service  providers. 

Child  and  Family  Services  Authorities 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Authorities  compliance  monitoring  processes — October  2007,  vol.  1,  p.  86 

We  recommend  that  the  Child  and  Family  Services  Authorities  improve  compliance  monitoring  processes  by  providing 
caseworkers  with: 

training  on  file  preparation  and  maintenance. 

feedback  from  the  monitoring  results  of  case-file  reviews. 

Authorities  monitoring  of  service  providers — October  2007,  vol.  1,  p.  88 

We  recommend  that  the  Child  and  Family  Services  Authorities  improve  the  evaluation  of  service  providers  by 
coordinating  monitoring  activities  and  sharing  the  results  with  the  Department. 

Culture  and  Community  Spirit  and  Tourism,  Parks  and  Recreation 
Ministry 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Computer  control  environment — October  2007,  vol.  2,  p.  172 

We  recommend  that  the  Ministry  of  Tourism,  Parks,  Recreation  and  Culture  work  with  Service  Alberta  to: 

document  the  services  that  Service  Alberta  is  to  provide  and  its  control  environment  for  information  technology 
implement  a  process  to  ensure  that  Service  Alberta  consistently  meets  service  level  and  security  requirements 
provide  evidence  that  control  activities  maintained  by  Service  Alberta  are  operating  effectively 
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Education 

Ministry  and  Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
School  board  budget  process— October  2006,  #25,  vol.  2,  p.  65 

We  recommend  that  Alberta  Education  improve  the  school  board  budget  process  by: 

Providing  school  boards  as  early  as  possible  with  the  information  needed  to  prepare  their  budgets  (e.g.  estimates 
of  operating  grant  increases  and  new  grant  funding,  and  comments  on  financial  condition  evident  from  their  latest 
audited  financial  statements). 

Requiring  school  boards  to  use  realistic  assumptions  for  planned  activities  and  their  costs  and  to  disclose  key 
budget  assumptions  to  their  trustees  and  the  Ministry. 

Establishing  a  date  for  each  school  board  to  give  the  Ministry  a  trustee-approved  revised  budget  based  on  actual 
enrolment  and  prior  year  actual  results. 

Re-assessing  when  and  how  the  Ministry  should  take  action  to  prevent  a  school  board  from  incurring  an 
accumulated  operating  deficit. 

School  board  interim  reporting — October  2006,  #26,  vol.  2,  p.  68 

We  recommend  that  Alberta  Education  work  with  key  stakeholder  associations  to  set  minimum  standards  for  the 
financial  monitoring  information  provided  to  school  board  trustees. 

We  also  recommend  that  Alberta  Education  work  with  the  key  stakeholder  associations  to  provide  information  to 
trustees  about: 

the  characteristics  of  a  strong  budgetary  control  system 

best  practices  for  fulfilling  financial  monitoring  responsibilities 

Business  cases — October  2007,  vol.  2,  p.  45 

We  recommend  that  the  Department  of  Education  establish  a  policy  for  developing  business  cases. 

Employment  and  Immigration 

Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Approving  and  renewing  training  programs — October  2008,  p.  249 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  systems  for  approving  and  renewing 
programs  by: 

clearly  defining  criteria  for  approving  each  program. 

developing  clear  performance  expectations  for  each  program  and  training  provider, 
using  its  monitoring  results  to  decide  whether  to  renew  a  program. 

Fraud  investigation  processes — October  2009,  p.  186 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  the  processes  of  its  investigation  units 

by: 

defining  clear  objectives  for  investigation  units 

establishing  guidelines  for  determining  when  they  should  undertake  a  fraud  investigation 
providing  fraud-specific  training  for  investigation  unit  staff 

Promoting  and  enforcing  compliance — April  2010,  #3,  p.  39 

We  recommend  that  the  Department  of  Employment  and  Immigration  enforce  compliance  with  the  Occupational  Health 
and  Safety  Act  by  employers  and  workers  who  persistently  fail  to  comply. 

Work  Safe  Alberta  planning  and  reporting — April  2010,  p.  43 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  planning  and  reporting  systems  for 
occupational  health  and  safety  by: 

obtaining  data  on  chronic  injuries  and  diseases  to  identify  potential  occupational  health  and  safety  risks 

completing  the  current  update  of  the  Work  Safe  Alberta  Strategic  Plan 

measuring  and  reporting  performance  of  occupational  health  and  safety  programs  and  initiatives  that  support  key 
themes  of  the  Plan 

Occupational  Health  and  Safety  inspection  systems — April  2010,  p.  46 

We  recommend  that  the  Department  of  Employment  and  Immigration  strengthen  its  proactive  inspection  program  by 
improving  risk  focus  and  coordinating  employer  selection  methods  for  its  inspection  initiatives. 
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Certificate  of  Recognition— April  2010.  p.  48 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  systems  to  issue  Certificates  of 
Recognition  by: 

obtaining  assurance  on  work  done  by  Certificate  of  Recognition  auditors 
consistently  following-up  on  recommendations  made  to  certifying  partners 

Legislated  permit  and  certificate  programs— April  2010,  p.  50 

We  recommend  that  the  Department  of  Employment  and  Immigration  strengthen  the  legislated  permit  and  certificate 
programs  by  improving: 

control  over  issued  asbestos  certificates 

processes  for  approval  and  monitoring  of  external  training  agencies 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Monitoring  and  enforcement  of  training  providers — October  2008,  #24,  p.  245 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  monitoring  of  tuition-based  training 
providers  by: 

assessing  whether  performance  expectations  are  being  met. 
quantifying  tuition  refunds  that  may  be  owing  to  the  Department. 
•      implementing  policies  and  procedures  that  outline  steps  and  timelines  for  dealing  with  non-compliance  problems. 

Improving  the  use  of  information  systems — October  2008,  p.  251 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  the  use  of  its  information  systems  by: 
integrating  its  payment-processing  system  with  other  learner  databases  to  ensure  that  tuition  fee  payments  are 
accurate. 

implementing  adequate  controls  to  ensure  all  key  learner  data  is  promptly  updated  in  the  system, 
using  exception  reports  to  detect  potential  non-compliance  problems. 

Internal  audits  and  home  visits — October  2009,  p.  189 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  processes  by  developing: 
timelines  and  strategies  to  respond  to  findings  arising  from  internal  audits 

a  risk-based  approach  to  augment  the  random  sample  selection  method  currently  used  for  internal  audits  and 
home  visits 

Workers'  Compensation  Board 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Access  and  security  monitoring — October  2009,  p.  192 

We  recommend  that  WCB  formalize  its  security  monitoring  procedures  to  ensure  that  security  threats  to  critical 
information  systems  are  detected  in  a  timely  manner. 


Energy 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Improving  processes  to  prepare  financial  information — October  2009.  p.  197 

We  recommend  that  the  Department  of  Energy  improve: 

internal  communication  processes  between  the  Finance  branch  and  program  staff 
quality  control  processes  for  the  preparation  of  working  papers  and  financial  statements 
the  timely  completion  of  accurate  financial  information 


Sustaining  the  continued  accuracy  of  the  revenue  forecast  system — October  2009,  #21,  p.  199 

We  recommend  that  the  Department  of  Energy  improve  the  controls  and  documentation  supporting  the  revenue 
forecast  model  to  help  ensure  the  continued  accuracy  of  the  forecast  system. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Assurance  on  well  and  production  data — October  2006,  #27,  vol.  2,  p.  76 
(repeated  once  since  October  2005) 

We  again  recommend  the  Department  of  Energy: 

complete  its  risk  assessment  and  evaluate  the  assurance  obtained  from  the  Petroleum  Registry  System  and  the 
Department's  controls  over  well  and  production  data: 

communicate  to  the  Alberta  Energy  and  Utilities  Board  how  much  assurance,  if  any.  the  Department  needs  over 
the  completeness  and  accuracy  of  well  and  production  data. 

Royalty  regime  objectives  and  targets — October  2007,  #9,  vol.  1,  p.  115 

We  recommend  that  the  Ministry  of  Energy  clearly  describe  and  publicly  state  the  objectives  and  targets  of  Alberta's 
royalty  regimes. 
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Royalty  planning,  coverage  and  internal  reporting — October  2007,  #10,  vol.  1,  p.  119 

We  recommend  that  the  Department  of  Energy  improve  the  planning,  coverage,  and  internal  reporting  of  its  royalty 
review  work. 

Royalty — improving  annual  performance  measures — October  2007,  #11,  vol.  1,  p.  124 

We  recommend  that  the  Department  of  Energy  improve  its  annual  performance  measures  that  indicate  royalty  regime 
results. 

Royalty — periodic  public  information — October  2007,  #12,  vol.  1,  p.  126 

We  recommend  that  the  Department  of  Energy  periodically  report  on  the  province's  royalty  regimes.  Periodic  public 
reports  should  use  the  methods  and  tools  of  technical  review  to: 

Provide  information  to  owners,  MLAs,  and  stakeholders  about  the  performance  and  issues  for  Alberta's  royalty 

regimes; 

Demonstrate  the  Department's  capacity  and  methodology  to  analyze  its  royalty  regimes. 
Royalty — enhancing  controls — October  2007,  #13,  vol.  1,  p.  129 

We  recommend  that  the  Department  of  Energy  enhance  controls  for  its  monitoring  and  technical  review  work. 
Documenting  potential  conflicts  of  interest — April  2008,  p.  57 

We  recommend  that  the  Department  of  Energy  follow  its  own  policies  and  processes  by  ensuring  discussions, 
conclusions,  and  actions  taken — including  the  risk-mitigation  strategy — when  an  employee  has  declared  a  potential 
conflict  of  interest  are  clearly  documented  and  retained. 

Alberta's  Bioenergy  Programs — October  2008,  #25,  p.  255 

We  recommend  that  the  Department  of  Energy: 

undertake  and  document  its  analysis  to  quantify  the  environmental  benefits  of  potential  bioenergy  technologies  to 
be  supported  in  Alberta. 

establish  adherence  to  the  Nine  Point  Bioenergy  Plan  as  a  criterion  within  its  bioenergy  project  review  protocol, 
and  require  grant  applications  to  indicate  the  projected  environmental  benefits  of  proposed  projects, 
prior  to  awarding  grants  in  support  of  plant  construction,  require  successful  applicants  to  quantify — with  a  life  cycle 
assessment — the  positive  environmental  impact  relative  to  comparable  non-renewable  energy  products. 

Energy  Resources  Conservation  Board 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Liability  management  for  suspension,  abandonment  and  reclamation  activities — October  2005,  #30,  p.  173 

We  recommend  that  the  Alberta  Energy  and  Utilities  Board  improve  its  systems  by  monitoring  the  timeliness  in  which 
industry  restores  wells,  facilities  and  pipelines  to  a  safe  and  stable  condition  after  permanent  dismantling. 

IT  control  framework— October  2007,  #24,  vol.  2,  p.  71 

We  recommend  that  the  Alberta  Energy  and  Utilities  Board  (EUB)  implement  an  IT  control  framework  to  mitigate 
identified  risks  to  the  organization. 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Assurance  systems  for  volumetric  accuracy — October  2005,  #29,  p.  169 

We  recommend  that  the  Alberta  Energy  and  Utilities  Board  explore  ways  to  strengthen  controls  for  verifying  the 
accuracy  and  completeness  of  oil  and  natural  gas  volumetric  data  and  for  enforcing  measurement  standards. 

Environment 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Drinking  Water:  Approvals  and  registrations — October  2006,  #1,  vol.  1,  p.  37 

We  recommend  that  the  Department  of  Environment  make  its  system  to  issue  approvals  and  registrations  more 
effective  by: 

Strengthening  supporting  processes  such  as  training,  manuals,  checklists,  and  quality  control  for  approvals  and 
registrations, 

Ensuring  that  applications  are  complete  and  legislatively  compliant, 
Documenting  important  decisions  in  the  application  and  registration  processes, 
Processing  applications  and  conversions  promptly, 

Maintaining  consistency  in  the  wording  of  approvals  and  registrations  across  the  province,  and 
Following  up  short-term  conditions  in  approvals. 
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Drinking  Water:  Inspection  system— October  2006,  #2,  vol.  1,  p.  43 

We  recommend  that  the  Department  of  Environment  improve  its  drinking  water  inspection  processes  by: 

Applying  the  same  inspection  frequency  targets  to  all  waterworks  regulated  by  the  Environmental  Protection  and 
Enhancement  Act, 

Ensuring  inspectors  receive  sufficient  training  in  waterworks  systems  and  operations. 

Revising  documentation  tools  and  practices,  including  making  them  more  risk  focused,  and 

Informing  operators  promptly  of  inspection  results,  ensuring  operators  respond  appropriately,  and  concluding  on 

each  inspection. 

Drinking  Water:  Communicating  with  partners— October  2006.  vol.  1.  p.  48 

We  recommend  that  the  Department  of  Environment  at  the  district  level  expand  its  communication  with  partners 
involved  in  drinking  water  matters. 

Drinking  Water:  Information  systems — October  2006,  #4,  vol.  1,  p.  52 

We  recommend  that  the  Department  of  Environment  improve  the  information  systems  used  to  manage  its  drinking 
water  businesses  by: 

Updating  EMS  forms  and  improving  reporting  capacity, 

Coordinating  regional,  district,  and  personal  information  systems  to  avoid  overlap  and  encourage  best  practice, 
and 

Using  data  to  improve  program  effectiveness  and  efficiency. 
Drinking  Water:  Supporting  drinking  water  goals — October  2006,  #5,  vol.  1,  p.  55 

We  recommend  that  the  Department  of  Environment  ensure  that  its  legislation,  programs,  and  practices  support  its  new 
drinking  water  goals.  This  includes: 

•      Clarifying  how  approvals  will  move  facilities  towards  current  standards: 
Delivering  central  initiatives  that  enhance  the  drinking  water  program; 

Determining  how  the  Department  should  promote  policy  initiatives  such  as  regionalization.  including  the  financing 
of  those  initiatives; 

Establishing  how  the  Department  can  partner  with  others  while  mitigating  the  risks  inherent  in  partnering;  and 
Reinforcing  a  "beyond  compliance"  mindset  with  Department  staff. 

Water  Well  Drilling— October  2006,  #28,  vol.  2,  p.  84 

We  recommend  that  the  Department  of  Environment  improve  its  system  to  regulate  water  well  drilling  by: 
Ensuring  that  drillers  and  drilling  companies  meet  approval  requirements; 
Implementing  controls  to  ensure  that  water  well  drilling  reports  are: 

received  on  time, 

complete  and  accurate,  and 

accurately  entered  into  the  Groundwater  Information  System; 
Obtaining  assurance  that  water  well  drilling  activities  in  the  field  meet  legislated  standards. 

Climate  change:  Planning— October  2008,  #9,  p.  97 

We  recommend  that  the  Ministry  of  Environment  improve  Alberta's  response  to  climate  change  by: 
establishing  overall  criteria  for  selecting  climate-change  actions. 

creating  and  maintaining  a  master  implementation  plan  for  the  actions  necessary  to  meet  the  emissions-intensity 
target  for  2020  and  the  emissions-reduction  target  for  2050. 

corroborating — through  modeling  or  other  analysis — that  the  actions  chosen  by  the  Ministry  result  in  Alberta  being 
on  track  for  achieving  its  targets  for  2020  and  2050. 

Climate  change:  Monitoring  processes — October  2008,  #10,  p.  100 

We  recommend  that  for  each  major  action  in  the  2008  Climate  Change  Strategy,  the  Ministry  of  Environment  evaluate 
the  action's  effect  in  achieving  Alberta's  climate  change  goals. 

Climate  change:  Public  reporting— October  2008,  #11,  p.  101 

We  recommend  that  the  Ministry  of  Environment  improve  the  reliability,  comparability  and  relevance  of  its  public 
reporting  on  Alberta's  success  and  costs  incurred  in  meeting  climate-change  targets. 

Climate  change:  Data  quality — October  2009,  p.  40 

We  recommend  that  the  Department  of  Environment  strengthen  its  guidance  for  baseline  and  compliance  reporting  by: 
clarifying  when  uncertainty  calculations  must  be  done 

prescribing  the  minimum  required  quality  standards  for  data  in  terms  of  minimum  required  frequency  of 
measurement  and  connection  to  the  period  being  reported  on 
describing  the  types  of  data  controls  that  facilities  should  have  in  place 
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Climate  change:  Guidance  to  verifiers  of  facility  baseline  and  compliance  reports — October  2009,  #3,  p.  42 

We  recommend  that  the  Department  of  Environment  strengthen  its  baseline  and  compliance  guidance  for  verifiers  by 
improving  the  description  of  the  requirements  for: 

the  nature  and  extent  of  testing  required 

the  content  of  verification  reports 

assurance  competencies 

Climate  change:  Technical  review — October  2009,  p.  45 

We  recommend  that  the  Department  of  Environment  strengthen  its  technical  review  processes  by: 
requiring  facilities  to  provide  a  process  map  with  their  compliance  reporting  and 
ensuring  staff  document  their  follow-up  activity  and  decisions  in  the  Department's  regulatory  database 

Climate  change:  Use  of  offsets  to  meet  compliance  obligations — October  2009,  #4,  p.  46 

We  recommend  that  the  Department  of  Environment: 

strengthen  its  offset  protocols  to  have  sufficient  assurance  that  offsets  used  for  compliance  are  valid 
assess  the  risk  of  offsets  applied  in  Alberta  having  been  used  elsewhere  in  the  world 

Climate  change:  Outsourced  service  providers — October  2009,  p.  49 

We  recommend  that  the  Department  of  Environment  develop  controls  to  gain  assurance  that  data  hosted  or  processed 
by  third  parties  is  complete,  accurate  and  secure. 

We  also  recommend  that  the  Department  of  Environment  formalize  its  agreement  with  its  service  provider  for  the 
Alberta  Emissions  Offset  Registry. 

Climate  change:  Error  correction  threshold — October  2009,  p.  50 

We  recommend  the  Department  of  Environment  establish  an  error  correction  threshold  that  considers  not  only  the 
percentages  of  emissions  or  production,  but  also  the  dollar  impact  on  the  Climate  Change  and  Emissions  Management 
Fund. 

Climate  change:  Cost-effectiveness  of  regulatory  processes — October  2009,  #5,  p.  51 

We  recommend  that  the  Department  of  Environment  assess  the  cost-effectiveness  of  the  Specified  Gas  Emitters 

Regulation. 

Financial  security  for  land  disturbances — October  2009,  #23,  p.  207 
(repeated  two  times  since  October  1999) 

We  again  recommend  that  the  Department  of  Environment  implement  a  system  for  obtaining  sufficient  financial  security 
to  ensure  parties  complete  the  conservation  and  reclamation  activity  that  the  Department  regulates. 

Backlog  of  Water  Act  applications — April  2010,  #4,  p.  65 

We  recommend  that  the  Department  of  Environment  minimize  the  backlog  of  outstanding  applications  for  Water  Act 
licences  and  approvals. 

Assessing  compliance  with  the  Water  Act — April  2010,  #5,  p.  68 

We  recommend  that  the  Department  of  Environment  ensure  its  controls  provide  adequate  assurance  that  performance 
in  the  field  by  licence  and  approval  holders  as  well  as  others  complies  with  the  Water  Act. 

Wetland  compensation — April  2010,  #6,  p.  71 

We  recommend  that  the  Department  of  Environment  formalize  its  wetland  compensation  relationships  and  control 
procedures. 

WPAC  grants  and  contracts— April  2010,  #7,  p.  73 

We  recommend  that  the  Department  of  Environment  strengthen  its  control  of  grants  and  contracts  with  Watershed 
Planning  and  Advisory  Councils. 

Executive  Council 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
CEO:  Guidance— October  2008,  #1,  p.  27 

We  recommend  that  the  Deputy  Minister  of  Executive  Council  through  the  Agency  Governance  Secretariat  assist 
agencies  and  departments  by  providing  guidance  in  the  areas  of  CEO  selection,  evaluation  and  compensation. 

Agency  Governance  Secretariat:  CEO  Accountability — October  2008,  #2,  p.  29 

We  recommend  the  Agency  Governance  Secretariat,  on  behalf  of  Ministers,  annually  obtain  information  from  agencies 
on  CEO  evaluation  and  compensation  processes  to  assess  if  good  practices  are  being  consistently  followed.  The 
results  of  these  systems  assessments  should  be  reported  to  Ministers,  who  should  then  hold  boards  of  directors 
accountable  for  their  decisions. 
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Public  agencies:  Executive  Compensation  Practices — October  2009.  #1,  p.  23 

We  recommend  that  the  Deputy  Minister  of  Executive  Council,  through  the  Agency  Governance  Secretariat,  assist 
public  agencies  and  departments  by  providing  guidance  on  executive  compensation  practices  for  all  public  agency 
senior  executives. 

Finance  and  Enterprise 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Public  reporting  of  revenue  forecasts— October  2007.  #16.  vol.  1,  p.  149 

We  recommend  that  the  Department  of  Finance  enhance  the  public  reporting  of  revenue  forecasts  by: 

explaining  the  difference  between  the  government's  non-renewable  resource  revenue  forecast  and  those  of  other 
private  sector  forecasters. 

disclosing  investment  income  sensitivity  to  changes  in  rate  of  return  earned  on  equity  investments 

explaining  the  expected  range  for  the  government's  total  revenue  forecast  including  the  reasonability  of  previous 

forecasts. 

Obtaining  assurance  on  third  party  service  providers — October  2007,  vol.  2,  p.  87 

We  recommend  that  the  Tax  and  Revenue  Administration  Division  of  the  Ministry  of  Finance  ensure  that  controls  over 
Ministry  information  assets  hosted  or  administered  by  third  party  service  providers  are  documented  and  operating 
effectively. 

Improve  accountability — April  2010,  #12,  p.  96 

We  recommend  that  the  Department  of  Finance  and  Enterprise  clarify  its  business  objectives  for  Alberta  Treasury 
Branches,  within  their  Memorandum  of  Understanding,  in  relation  to  the  level  of  risk  the  Department  expects  Alberta 
Treasury  Branches  to  take. 

Implementation  plan  for  regulatory  and  supervisory  frameworks — April  2010,  #13,  p.  97 

We  recommend  that  the  Department  of  Finance  and  Enterprise  develop  an  implementation  plan  for  its  approach  to 
regulating  and  supervising  regulated  financial  institutions. 

Completion  of  risk  assessments — April  2010,  p.  100 

We  recommend  that  the  Department  of  Finance  and  Enterprise  complete  risk  assessments  and  evaluate  the  quality  of 
the  regulated  entities'  risk  management  practices. 

Monitoring  legislative  compliance — April  2010,  #14.  p.  101 

We  recommend  that  the  Department  of  Finance  and  Enterprise  strengthen  its  processes  to  ensure  identified  legislative 
non-compliance  matters  are  remediated. 

Improve  transparency — April  2010,  p.  102 

We  recommend  that  the  Department  of  Finance  and  Enterprise: 

clearly  identify  which  guidelines  and  supervisory  rules  are  applicable  for  the  regulated  entities 
develop  processes  to  monitor  compliance  with  the  guidelines 

assess  how  risks  are  mitigated  for  those  guidelines  and  supervisory  rules  that  are  not  applicable 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Rates  of  return  used  to  forecast  investment  income — October  2007,  vol.  1,  p.  142 

We  recommend  that  the  Department  of  Finance  incorporate  the  return  from  active  management  of  the  Alberta  Heritage 
Savings  Trust  Fund  in  the  forecast  of  investment  income. 

Personal  income  tax  forecast — October  2007,  vol.  1,  p.  143 

We  recommend  that  the  Department  of  Finance  improve  its  method  for  estimating  historical  personal  income  growth 
used  to  forecast  personal  income  tax  revenues. 

Corporate  income  tax  forecast — October  2007,  #14,  vol.  1,  p.  145 

We  recommend  that  the  Department  of  Finance  improve  its  model  for  estimating  corporate  taxable  income. 
User  access— October  2008,  p.  272 

We  recommend  that  the  Department  of  Finance  and  Enterprise  review  all  user  access  to  business  data  to  ensure  that 
unauthorized  changes  are  prevented  and  appropriate  incident  monitoring  exists  to  ensure  systems  issues  are  promptly 
resolved. 

Quality  control  process  over  review  of  information  in  the  annual  report — October  2009,  p.  214 

We  recommend  that  the  Department  of  Finance  and  Enterprise  improve  its  quality  control  review  process  over  the 
financial  statements  information  in  the  Ministry  annual  report. 
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Contract  agreements — October  2009,  p.  216 

We  recommend  that  the  Department  of  Finance  and  Enterprise  have  signed  contract  agreements  in  place  before  goods 
or  services  are  supplied. 

Alberta  Capital  Finance  Authority 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Additional  skilled  resources  required — April  2009,  p.  103 

We  recommend  that  management  of  Alberta  Capital  Finance  Authority  secure  additional  skilled  resources  to  help 
implement  new  required  financial  accounting  standards  and  to  ensure  the  cost-effective  preparation  and  management 
review  of  its  annual  financial  statements. 

Alberta  Investment  Management  Corporation  (AIMCo) 

The  following  recommendations  are  outstanding  and  are  not  yet  ready  for  follow-up  audits: 
Coordination  with  the  Department  of  Finance  and  Enterprise — October  2009,  p.  235 

We  recommend  that  AIMCo  work  with  the  Department  of  Finance  and  Enterprise  to: 

record  all  financial  statement  accounting  adjustments  in  the  investments  general  ledger  on  a  timely  basis 
coordinate  the  timing  of  private  investment  valuations  so  that  valuation  updates  to  the  investments  general  ledger 
are  entered  before  the  Department  performs  its  quarterly  write-down  analysis 

Internal  control  certification— October  2008,  #32,  p.  282 

We  recommend  that  Alberta  Investment  Management  Corporation  introduce  a  process  to  prepare  to  internal  control 
certification  by: 

ensuring  that  its  strategic  plan  includes  internal  control  certification 
developing  a  top-down,  risk-based  process  for  internal  control  design 
selecting  an  appropriate  internal  control  risk-assessment  framework 

considering  sub-certification  processes,  with  direct  reports  to  the  Chief  Executive  Officer  and  Chief  Financial 
Officer  providing  formal  certification  on  their  areas  of  responsibility 

ensuring  that  management  compensation  systems  incorporate  the  requirement  for  good  internal  control 
using  a  phased  approach  to  assess  the  design  and  operating  effectiveness  of  internal  controls 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Access  and  change  management  controls — October  2007,  vol.  2,  p.  93 

We  recommend  that  Alberta  Investment  Management  establish  access  and  change  management  controls  for  its 
investment-related  computer  information  systems. 

AIMCo  financial  statements— October  2009,  p.  236 

We  recommend  that  AIMCo  improve  its  processes  and  internal  controls  to  achieve  completeness,  accuracy  and 
increased  efficiency  in  financial  reporting. 

Alberta  Treasury  Branches  (ATB) 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Treasury  management:  Interest  rate  risk  controls — October  2008,  p.  136 

We  recommend  that  Alberta  Treasury  Branches  put  in  place  controls  necessary  to  ensure  consistent  measurement  of 
interest  rate  risk. 

Treasury  management:  Role  and  use  of  middle  office — October  2008,  p.  137 

We  recommend  that  Alberta  Treasury  Branches  expand  the  role  of  its  middle  office1  to  include  responsibilities  for 
monitoring  interest  rate  risk.  We  also  recommend  that  management  ensure  the  middle  office  has  the  necessary 
resources  to  monitor  foreign  exchange  activities  and  fulfill  its  other  responsibilities. 

Treasury  management:  Treasury  information  systems — October  2008,  p.  138 

We  recommend  that  Alberta  Treasury  Branches: 

evaluate  its  current  treasury  information  systems  against  its  business  requirements 
develop  and  implement  a  treasury  information  technology  plan  to  upgrade  its  tools 

Fair-value  calculations  of  investments — October  2008,  p.  274 

We  recommend  that  Alberta  Treasury  Branches  improve  controls  over  fair-value  calculations  of  its  investments  and 
derivatives  by: 

implementing  a  peer-review-and-approval  process  for  inputs  and  assumptions  used  in  the  valuation  models, 
using  a  benchmarking  process — as  an  alternative  process  for  derivatives — to  assess  reasonability  of  its  calculated 
fair  values. 

documenting  the  results  of  this  work  consistently. 


1      The  Middle  Office  monitors  market  risk,  values  securities  and  derivatives,  and  ensures  compliance  with  certain  treasury  limits/ 

policies 
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Derivative  credit  limits  in  report — October  2008.  p.  276 

We  recommend  that  Alberta  Treasury  Branches  promptly  update  the  derivative  credit  limits  disclosed  on  the  daily 
derivative  credit  exposure  report 

Internal  control  weaknesses— October  2008.  #29.  p.  278 

We  recommend  that  Alberta  Treasury  Branches  validate  and  approve  business  processes  and  internal  control 
documentation  developed  by  its  internal  control  group  and  implement  plans  to  resolve  identified  internal  control 
weaknesses. 

Securitization  policy  and  business  rules— October  2008.  #31,  p.  280 

We  recommend  that  Alberta  Treasury  Branches  develop  and  implement  a  securitization  policy  and  securitization 
business  rules. 

Internal  controls— October  2009,  p.  221 

We  recommend  that  the  Alberta  Treasury  Branches  Strategic  Steering  Committee  receive  the  appropriate  assurance 
from  the  project  leadership  team  that  the  organization's  control  objectives  have  been  satisfied  before  the  user 
acceptance  testing  phase  of  the  project  is  complete. 

Organization-wide  information  technology  oversight — October  2009,  #24.  p.  222 

We  recommend  that  Alberta  Treasury  Branches  improve  the  efficiency  and  effectiveness  of  its  computing  environment 
by  developing  a  process  to  ensure  all  ATB  Business  Units  adopt  and  follow  an  organization-wide  Information 
Technology  governance  and  control  framework. 

Service  auditor  reports — user  control  considerations — October  2009,  p.  227 

We  recommend  that  Alberta  Treasury  Branches  improve  its  processes  related  to  service  providers  by  ensuring  its 
business  areas: 

receive  service  provider  audit  reports 

review  service  provider  audit  reports  and  assess  the  impact  of  identified  internal  control  weaknesses 
put  end-user  controls  in  place  to  complement  service  provider  controls 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Risk  management— October  2003,  #16,  p.  121 
(repeated  once  since  October  2002) 

We  again  recommend  that  Alberta  Treasury  Branches  implement  an  enterprise  risk  management  framework  to  assist  in 
managing  significant  risks. 

Treasury  management:  Business  rules  and  operating  procedures — October  2008,  #12,  p.  118 

We  recommend  that  Alberta  Treasury  Branches  develop  and  document  the  business  rules  and  operating  procedures 
required  to  implement  the  improved  investment  policy  being  developed. 

Treasury  management:  Performance  targets — October  2008,  p.  123 

We  recommend  that  Alberta  Treasury  Branches  improve  its  process  for  establishing  Global  Financial  Market's 
performance  targets  by  discussing  the  targets  with  the  senior  Asset  Liability  Committee  (ALCO)  and  maintaining 
evidence  that  supports  decisions  made. 

Treasury  management:  Variable  pay  program — October  2008,  p.  125 

We  recommend  that  Alberta  Treasury  Branches  complete  its  business  rules  on  how  variable  pay  is  calculated  for  Global 
Financial  Markets'  staff  by  clarifying  how  to  deal  with: 

revenue  not  collected 

investment  losses 

Treasury  management:  Liquidity  reporting — October  2008,  p.  127 

We  recommend  that  Alberta  Treasury  Branches  agree  internally  on  a  consistent  measure  of  liquidity  and  report 
that  measurement  to  the  Board  and  to  the  Department  of  Alberta  Finance  and  Enterprise  to  provide  regular  and  fair 
reporting. 

Treasury  management:  Liquidity  simulations — October  2008,  p.  128 

We  recommend  that  Alberta  Treasury  Branches  further  expand  its  use  of  liquidity  simulations  as  a  forward  looking 
liquidity  risk  measurement  tool.  We  also  recommend  that  ALCO  and  the  Board  oversight  committee  consider  whether 
the  results  of  liquidity  simulations  indicate  a  need  to  modify  its  business  plan. 

Treasury  management:  Liquidity  contingency  plan — October  2008,  #13,  p.  129 

We  recommend  that  Alberta  Treasury  Branches  develop  a  comprehensive  liquidity  contingency  plan  to  be  better 
prepared  for  a  liquidity  crisis  and  to  fully  comply  with  Alberta  Finance  and  Enterprise's  Liquidity  Guideline.  The  plan 
should  be  updated  and  approved  regularly. 
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Treasury  management:  Interest  rate  risk  reporting — October  2008,  #14,  p.  131 

We  recommend  that  Alberta  Treasury  Branches  provide  better — more  qualitative  and  quantitative — reporting  to  senior 
management  and  the  Board  on  its  interest  rate  risk  management. 

Treasury  management:  Interest  rate  risk  model  assumptions — October  2008,  p.  132 

We  recommend  that  Alberta  Treasury  Branches  improve  processes  for  creating,  applying  and  validating  assumptions 
used  in  its  interest  rate  risk  models. 

Treasury  management:  Interest  rate  risk  modeling  and  stress  testing — October  2008,  p.  134 

We  recommend  that  Alberta  Treasury  Branches  define  its  significant  interest  rate  risk  exposures  and  model  those 
significant  exposures  to  assess  the  effects  on  future  financial  results. 

Treasury  management:  Treasury  policies — October  2008,  p.  139 

We  recommend  that  Alberta  Treasury  Branches  implement  the  updated  investment  and  derivatives  policies  for  changes 
arising  from  its  recent  review  of  those  policies.  We  also  recommend  that  ATB  review  the  financial  risk  management 
policy. 

Treasury  management:  Role  of  ALCO— October  2008,  #15,  p.  142 

We  recommend  that  Alberta  Treasury  Branches  review  the  role  of  the  Asset  Liability  Committee  (ALCO)  and  consider 
restructuring  it  into  two  tiers. 

Treasury  management:  Internal  audit  program — October  2008,  p.  143 

We  recommend  that  Alberta  Treasury  Branches  internal  audit  department  regularly  examine  all  types  of  Alberta 
Treasury  Branches'  derivative  activities  to: 

promptly  identify  and  rectify  internal  control  weaknesses 

fully  comply  with  the  Alberta  Finance  and  Enterprise  Derivatives  Best  Practices  Guideline 

Health  and  Wellness 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Accountability  of  the  health  regions  to  the  Minister  of  Health  and  Wellness — October  2004,  #23,  p.  197 

We  again  recommend  that  the  Department  of  Health  and  Wellness  improve  accountability  of  the  Health  Regions  to  the 
Minister  by: 

ensuring  performance  expectations  for  the  Health  Regions  are  explicit  and  accepted  by  the  Health  Regions, 
reviewing  and  providing  feedback  to  the  Health  Regions  on  the  Health  Regions'  progress  towards  meeting 
expectations,  and 

taking  follow  up  actions,  including  rewards  and  sanctions,  to  improve  the  future  performance  of  the  Health 
Regions. 

Accountability  for  health  care  costs — Ministry  annual  report  results  analysis — October  2006,  #31,  vol.  2,  p.  116 

We  recommend  that  the  Ministry  of  Health  and  Wellness  explain  and  quantify  annually — in  its  annual  report — key 
factors  affecting  health  care  costs. 

Accountability  for  health  care  costs — Performance  measures — October  2006,  #32,  vol.  2,  p.  118 

We  recommend  that  the  Ministry  of  Health  and  Wellness  link  health  costs  to  outputs  for  the  Ministry  as  a  whole — in  its 
annual  report. 

Analysis  of  physician  billing  information — October  2006,  #33,  vol.  2,  p.  120 
(repeated  once  since  October  2001) 

We  recommend  that  the  Department  of  Health  and  Wellness  strengthen  its  processes  to  analyze  and  investigate 
anomalies  in  physician  billing  information. 

Information  technology  control  environment — October  2006,  #34,  vol.  2,  p.  123 
(repeated  twice  since  October  2002) 

We  again  recommend  that  the  Department  of  Health  and  Wellness  carry  out  a  comprehensive  risk  assessment  of  its  IT 
environment,  and  develop  and  implement  an  IT  disaster  recovery  plan. 

Unauthorized  network  connections — October  2007,  vol.  2,  p.  105 

We  recommend  that  the  Department  of  Health  and  Wellness  improve  its  procedures  to  enforce  and  monitor  compliance 
with  its  Information  Security  Policy. 

Provincial  Mental  Health  Plan— The  accountability  framework — April  2008,  #4,  p.  77 

We  recommend  that  the  Department  of  Health  and  Wellness  ensure  there  is  a  complete  accountability  framework  for 
the  Provincial  Mental  Health  Plan  and  mental  health  services  in  Alberta. 


 Report  of  the  Auditor  General  of  Alberta 


October  2010 


Outstanding  Recommendations 


Compliance  monitoring  activities — October  2008,  #35,  p.  300 

We  recommend  that  the  Department  of  Health  and  Wellness  complete  a  comprehensive  risk  assessment  and  develop  a 
risk  based  plan  to  improve  the  effectiveness  of  its  compliance-monitoring  activities. 

Electronic  Health  Records:  Project  management — October  2009.  #7.  p.  75 

We  recommend  the  Department  of  Health  and  Wellness  execute  publicly  funded  electronic  health  record  projects  and 
initiatives  in  accordance  with  established  project  management  standards. 

Electronic  Health  Records:  Monitoring  the  EHR— October  2009,  #8,  p.  78 

We  recommend  the  Department  of  Health  and  Wellness  proactively  monitor  access  to  the  portal  (Netcare).  through 
which  the  electronic  health  records  can  be  viewed,  reviewing  it  for  potential  attacks,  breaches  and  system  anomalies 

Electronic  Health  Records:  User  access  management — October  2009.  p.  80 

We  recommend  that  the  Department  of  Health  and  Wellness  ensure  that  its  user  access  management  policies  are 
followed  and  that  user  access  to  health  information  is  removed  when  access  privileges  are  no  longer  required 

Monitoring  infection  prevention  and  control  processes  (compliance  monitoring  activities) — October  2009. 
p.  248 

We  recommend  that  the  Department  of  Health  and  Wellness  examine  and  clarify  the  role  of  its  Compliance  Assurance 
Branch  in  the  implementation  and  execution  of  infection  prevention  and  control  compliance  monitoring  in  Alberta. 

Accountability  for  conditional  grants — October  2009,  p.  252 
(repeated  twice  since  October  2002) 

We  again  recommend  that  the  Department  of  Health  and  Wellness  improve  its  control  processes  to  ensure 
accountability  for  conditional  grants. 

The  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Food  Safety:  Integrated  food  safety  planning  and  activities — October  2009,  #11.  p.  107 
(repeated  once  since  October  2006) 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development,  in 
cooperation  with  Alberta  Health  Services  and  federal  regulators,  improve  planning  and  coordination  of  food  safety 
activities  and  initiatives.  This  includes: 

improving  day-to-day  coordination  of  provincial  food  safety  activities 

improving  cooperation  and  working  relationships  among  provincial  and  federal  partners  such  as  the  First  Nations 
and  Inuit  Health  Branch  and  the  Canadian  Food  Inspection  Agency 

Food  Safety:  Eliminating  gaps  in  food  safety  inspection  coverage — October  2009,  #12,  p.  111 
(repeated  once  since  October  2006) 

We  again  recommend  that  Alberta  Health  Services  and  the  Departments  of  Health  and  Wellness  and  Agriculture  and 
Rural  Development,  working  with  federal  regulators,  eliminate  the  existing  gaps  in  food  safety  coverage  in  Alberta. 
Gaps  include: 

mobile  butchers 

consistently  administering  the  Meat  Facility  Standard 
coordinating  inspections  in  the  "non-federally  registered"  sector 

Food  Safety:  Accountability— October  2009,  #13,  p.  114 
(repeated  once  since  October  2006) 

We  again  recommend  that  the  Departments  of  Health  and  Wellness  and  Agriculture  and  Rural  Development  improve 
reporting  on  food  safety  in  Alberta. 

The  Departments  of  Health  and  Wellness  and  Alberta  Health  Services 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Seniors  Care:  Effectiveness  of  services  in  long-term  care  facilities — October  2005,  #7,  p.  59 

We  recommend  that  the  Department  of  Health  and  Wellness  and  the  Regional  Health  Authorities,  working  with  the 
Department  of  Seniors  and  Community  Supports,  assess  the  effectiveness  of  services  in  long-term  care  facilities. 

Seniors  Care:  Effectiveness  of  services  in  long-term  care  facilities — October  2005,  #8,  p.  59 

We  recommend  that  the  Department  of  Health  and  Wellness,  working  with  the  Department  of  Seniors  and  Community 
Supports,  collect  sufficient  information  about  facility  costs  from  the  Regional  Health  Authorities  and  long-term  care 
facilities  to  make  accommodation  rate  and  funding  decisions. 
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Mental  Health:  Provincial  Mental  Health  Plan:  Implementation  systems — April  2008,  #3,  p.  72 

We  recommend  that  the  Alberta  Mental  Health  Board  and  the  Department  of  Health  and  Wellness,  working  with  other 
mental  health  participants,  strengthen  implementation  of  the  Provincial  Mental  Health  Plan  by  improving: 
implementation  planning, 

the  monitoring  and  reporting  of  implementation  activities  against  implementation  plans,  and 

the  system  to  adjust  the  Plan  and  implementation  initiatives  in  response  to  changing  circumstances. 

Mental  Health:  Standards— October  2008,  #16,  p.  162 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  create  provincial  standards 
for  mental  health  services  in  Alberta. 

Mental  Health:  Funding,  planning,  and  reporting — October  2008,  p.  186 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  ensure  the  funding,  planning, 
and  reporting  of  mental  health  services  supports  the  transformation  outlined  in  the  Provincial  Mental  Health  Plan  as  well 
as  system  accountability. 

Mental  Health:  Aboriginal  and  suicide  priorities — October  2008,  p.  190 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  consider  whether  the 
implementation  priority  for  aboriginal  and  suicide  issues  is  appropriate  for  the  next  provincial  strategic  mental  health 
plan. 

Electronic  Health  Records:  Oversight  and  accountability  for  electronic  health  records  (EHR) — October  2009, 

#6,  p.  73 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services,  working  with  the  EHR 
Governance  Committee,  improve  the  oversight  of  electronic  health  record  systems  by: 

maintaining  an  integrated  delivery  plan  that  aligns  with  the  strategic  plan 

improving  systems  to  regularly  report  costs,  timelines,  progress  and  outcomes 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Seniors  Care:  Compliance  with  Basic  Service  Standards — October  2005,  #6,  p.  58 

We  recommend  that  the  Department  of  Health  and  Wellness  and  the  Regional  Health  Authorities,  working  with  the 
Department  of  Seniors  and  Community  Supports,  improve  the  systems  for  monitoring  the  compliance  of  long-term  care 
facilities  with  the  Basic  Service  Standards. 

Seniors  Care:  Information  to  monitor  compliance  with  legislation — October  2005,  p.  61 

We  recommend  that  the  Department  of  Health  and  Wellness,  working  with  the  Regional  Health  Authorities  and  the 
Department  of  Seniors  and  Community  Supports,  identify  the  information  required  from  long-term  care  facilities  to 
enable  the  Departments  and  Authorities  to  monitor  their  compliance  with  legislation. 

Seniors  Care:  Determining  future  needs  for  services  in  long-term  care  facilities — October  2005,  #9,  p.  62 

We  recommend  that  the  Department  of  Health  and  Wellness,  working  with  Regional  Health  Authorities  and  the 
Department  of  Seniors  and  Community  Supports,  develop  a  long-term  plan  to  meet  future  needs  for  services  in  long- 
term  care  facilities.  We  also  recommend  that  the  Departments  publicly  report  on  progress  made  towards  goals  in  the 
plan. 

Seniors  Care:  Determining  future  needs  for  services  in  long-term  care  facilities — October  2005,  p.  62 

We  recommend  that  the  Department  of  Health  and  Wellness  require  Regional  Health  Authorities  to  periodically  update 
and  report  on  progress  implementing  their  Ten-Year  Continuing  Care  Strategic  Service  Plans. 

Food  Safety:  Tools  to  promote  and  enforce  food  safety — October  2006,  vol.  1,  p.  83 

We  recommend  that  the  regional  health  authorities  and  the  Department  of  Health  and  Wellness  consider  a  wider  range 
of  tools  to  promote  and  enforce  food  safety. 

Alberta  Health  Services 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Calgary:  Inappropriate  user  access — October  2007,  #29,  vol.  2,  p.  113 

We  recommend  that  the  Calgary  Health  Region  regularly  review  all  user  accounts  and  roles  assigned  within  systems 
and  applications  for  inappropriate  access  privileges. 

Cancer  Board:  Controls  over  access  to  computer  applications — October  2007,  vol.  2,  p.  115 

We  recommend  that  the  Alberta  Cancer  Board  promptly  end  network  and  application  access  for  terminated  employees. 

AADAC  General  computer  controls— 2006-07,  vol.  2,  p.  116 

We  recommend  that  the  Alberta  Alcohol  and  Drug  Abuse  Commission  document  and  follow  a  comprehensive 
information  technology  control  framework. 
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Mental  Health:  Housing  and  supportive  living— October  2008.  #17,  p.  164 

We  recommend  that  Alberta  Health  Services  encourage  mental  health  housing  development  and  provide  supportive 
living  programs  so  mental  health  clients  can  recover  in  the  community. 

Mental  Health:  Concurrent  disorders— October  2008.  #18.  p.  168 

We  recommend  that  Alberta  Health  Services  strengthen  integrated  treatment  for  clients  with  severe  concurrent 
disorders  (mental  health  issues  combined  with  addiction  issues). 

Mental  Health:  Not-for-profit  organizations— October  2008,  p.  169 

We  recommend  that  Alberta  Health  Services  improve  relationships  with  not-for-profit  organizations  to  provide  better 
coordinated  service  delivery. 

Mental  Health:  Gaps  in  service— October  2008,  #19.  p.  171 

We  recommend  that  Alberta  Health  Services  reduce  gaps  in  mental  health  delivery  services  by  enhancing: 
Mental  health  professionals  at  points  of  entry  to  the  system: 
Coordinated  intake: 

Specialized  programs  in  medium-sized  cities: 

Transition  management  between  hospital  and  community  care. 

Mental  Health:  Provincial  coordination — October  2008,  p.  176 

We  recommend  that  Alberta  Health  Services  coordinate  mental  health  service  delivery  across  the  province  better  by: 
Strengthening  inter-regional  coordination. 

Implementing  standard  information  systems  and  data  sets  for  mental  health. 
Implementing  common  operating  procedures. 

Collecting  and  analyzing  data  for  evidence-based  evaluation  of  mental  health  programs. 
Mental  Health:  Community-based  service  delivery — October  2008,  p.  181 

We  recommend  that  Alberta  Health  Services  strengthen  service  delivery  for  mental  health  clients  at  regional  clinics  by 
improving: 

Wait  time  management. 

Treatment  plans,  agreed  with  the  client. 

Progress  notes. 

Case  conferencing. 

File  closure. 

Timely  data  capture  on  information  systems. 
Client  follow  up  and  analysis  of  recovery. 

Calgary:  IT  user  access  management  controls — October  2008,  p.  307 

We  recommend  that  the  Alberta  Health  Services — Calgary  Health  Region  update  its  user  access  management  policies 
and  procedures,  follow  them  and  implement  monitoring  controls  to  ensure  they  are  complied  with. 

Capital:  IT  security  controls— October  2008,  p.  308 

We  recommend  that  Alberta  Health  Services — Capital  Health  improve  its  information  technology  security  controls  over 
user-access  administration,  privileged  user  accounts,  security  violations,  and  passwords. 

Peace  Country:  Expense  claims  and  corporate  credit  cards  controls — October  2008.  p.  311 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  strengthen  and  follow  its  policies  and  processes 
for  employee  expense  claims  and  corporate  credit  cards.  We  also  recommend  that  Peace  Country  Health  develop  and 
implement  policies  and  guidance  on  appropriate  expenses  for  hosting  and  working  sessions. 

Peace  Country:  IT  user  access — October  2008,  p.  313 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  establish  a  process  to  periodically  review 
computer  system  user-access  rights  to  ensure  they  are  appropriate. 

Food  Safety:  Inspection  programs — October  2009,  #9,  p.  93 
(repeated  once  since  October  2006) 

We  again  recommend  that  Alberta  Health  Services  improve  their  food  establishment  inspection  programs.  Specifically. 
AHS  should: 

inspect  food  establishments  following  generally  accepted  inspection  frequency  standards 
ensure  that  inspections  are  consistently  administered  and  documented 

follow  up  critical  violations  promptly  to  ensure  that  food  establishments  have  corrected  those  violations 
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Food  Safety:  Information  systems — October  2009,  #10,  p.  99 
(repeated  once  since  October  2006) 

We  again  recommend  that  Alberta  Health  Services,  supported  by  the  Department  of  Health  and  Wellness,  improve  their 
automated  food  safety  information  systems.  This  includes: 

enhancing  system  management,  security,  and  access  control 

ensuring  data  consistency 

ensuring  that  service  level  agreements  are  in  place 

developing  reporting  capacity  for  management  and,  accountability  purposes 

Food  Safety:  Eliminating  gaps  in  food  safety  inspection  coverage — October  2009,  #12,  p.  111 
(repeated  once  since  October  2006) 

We  again  recommend  that  Alberta  Health  Services  and  the  Departments  of  Health  and  Wellness  and  Agriculture  and 
Rural  Development,  working  with  federal  regulators,  eliminate  the  existing  gaps  in  food  safety  coverage  in  Alberta. 
Gaps  include: 

mobile  butchers 

consistently  administering  the  Meat  Facility  Standard 
coordinating  inspections  in  the  "non-federally  registered"  sector 

Supplementary  retirement  plans— October  2009,  #28,  p.  260 

We  recommend  that  Alberta  Health  Services  review  existing  supplementary  retirement  plans  and: 
understand  the  terms  and  conditions  for  each  plan 

develop  clear  and  consistent  policies  and  processes  for  administering  them 

obtain  actuarial  valuations,  using  appropriate  and  consistent  assumptions,  for  the  plans 

understand  the  impact  of  funding  options 

ensure  sufficient  funds  are  available  to  meet  plan  obligations 

Information  technology  control  policies  and  processes — October  2009,  #29,  p.  262 

We  recommend  that  Alberta  Health  Services: 

develop  an  information  technology  control  framework,  including  appropriate  risk  management  processes  and 
controls,  for  the  management  of  its  information  technology  resources 

monitor  compliance  with  security  policies,  implementing  effective  change  management  processes  and  improving 
passwords  controls 

Capital  project  funding  and  approval — October  2009,  #31,  p.  269 

We  recommend  that  Alberta  Health  Services: 

obtain  appropriate  approval  from  the  Minister  of  Health  and  Wellness  and  secure  adequate  capital  funding  before 

starting  capital  projects  that  are  internally  funded  or  debt  financed 

ensure  budgets  include  the  estimated  future  operating  costs  associated  with  new  capital 

Capital  project  monitoring  systems — October  2009,  #32,  p.  271 

We  recommend  that  Alberta  Health  Services  improve  the  efficiency  and  effectiveness  of  its  financial  capital  project 

monitoring  and  reporting  systems  and  processes  by: 

implementing  common  systems,  policies  and  procedures  to  track  and  monitor  key  financial  information 
providing  relevant,  timely  and  accurate  information  to  Executive  Management  and  the  Audit  and  Finance 
Committee 

Year-end  financial  reporting  processes — October  2009,  p.  274 

We  recommend  that  Alberta  Health  Services  improve  its  year-end  financial  reporting  processes  by: 
clearly  defining  roles,  responsibilities  and  decision  making  authorities  for  financial  reporting 
improving  processes  to  identify  and  resolve  key  accounting  risks  and  reporting  issues  on  a  timely  basis 

Expenditure  policies  and  approvals — October  2009,  p.  277 

We  recommend  that  Alberta  Health  Services  improve  the  efficiency  and  effectiveness  of  its  expense  approval  controls 

by: 

developing  and  implementing  a  clear  and  comprehensive  expenditure  approval  policy 
automating  the  expenditure  controls  within  the  purchasing  system 

Approval  of  drug  purchases — October  2009,  p.  278 

We  recommend  that  Alberta  Health  Services  improve  controls  for  drug  purchases  by  ensuring  they  are  properly 
approved  and  duties  are  appropriately  segregated. 
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Management  has  identified  these  recommendations  as  implemented— to  be  confirmed  with  follow-up  audits 
Calgary  and  Capital:  Performance  measures  for  surgical  services— October  2001,  p.  135 

We  recommend  the  Calgary  Health  Region  and  Capital  Health  Authority  establish  a  comprehensive  set  of  outcome- 
based  performance  measures  for  surgical  facility  services  and  incorporate  these  standards  of  performance  into  ongoing 
monitoring  of  contracted  facilities. 

AADAC  Contracting  Practices:  Internal  controls— November  2006,  #1,  p.  14 

We  recommend  that  management  improve  controls  over  contracting  by 

ensuring  adequate  segregation  of  duties  exists  over  the  contracting  process 
monitoring  and  verifying  contractors'  compliance  with  contract  terms  and  conditions 

AADAC  Contracting  Practices:  Board  governance — November  2006,  #3,  p.  17 

We  recommend  that  the  Board,  at  least  annually,  receive  reports  from  management  on  the  design  and  effectiveness  of 
AADAC's  internal  controls. 

Calgary:  IT  change  management  controls — October  2008,  p.  306 

We  recommend  that  Alberta  Health  Services— Calgary  Health  Region  improve  its  change  management  policies  and 
procedures,  follow  them  and  implement  monitoring  controls  to  ensure  they  are  complied  with. 

Capital:  IT  change  management  controls — October  2008,  p.  309 

We  recommend  that  Alberta  Health  Services — Capital  Health  improve  its  information  technology  change-management 
controls  over  testing,  categorizing,  and  reviewing  changes. 

Peace  Country:  Contract  documentation— October  2008,  p.  312 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  develop  and  implement  a  sole-sourcing  policy 
for  contracts  and  ensure  that  sole-sourcing  is  clearly  documented  and  justified.  We  also  recommend  Alberta  Health 
Services — Peace  Country  Health  ensure  contract  amendments,  including  changes  to  deliverables,  are  documented  and 
agreed  to  by  both  parties. 

Physician  recruitment  incentives — October  2009,  p.  279 

We  recommend  that  Alberta  Health  Services  improve  controls  for  physician  recruitment  incentives  by  developing  and 
implementing  a  policy  that  identifies: 

criteria  and  approvals  required  for  granting  loans,  income  guarantees  and  relocation  allowances 

monitoring  and  collection  procedures  for  physician  loans 

Housing  and  Urban  Affairs 

Department 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit. 
Direct  rent  supplement  program  payments — October  2009,  p.  283 

We  recommend  that  the  Department  of  Housing  and  Urban  Affairs  improve  its  monitoring  processes  of  direct  rent 
supplement  payments  issued  by  management  bodies,  by  requiring  periodic  reviews  of  these  payments. 

Infrastructure 

Department 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
IT  risk— October  2009,  p.  287 

We  recommend  that  the  Ministry  of  Infrastructure  develop  and  implement  an  information  technology  risk  management 
framework. 

The  Departments  of  Infrastructure  and  Treasury  Board 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Challenging  and  supporting  assumptions — April  2010,  #1,  p.  22 

We  recommend  that  the  Departments  of  Treasury  Board  and  Infrastructure  improve  processes,  including  sensitivity 
analysis,  to  challenge  and  support  maintenance  costs  and  risk  valuations. 

Transparency— April  2010,  #2,  p.  24 

We  recommend  that  the  Departments  of  Treasury  Board  and  Infrastructure  follow  their  own  guidance  to  publish  a  Value 
for  Money  Report  upon  entering  into  a  Public  Private  Partnership  (P3)  agreement. 
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International  and  Intergovernmental  Affairs 

Ministry 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Evaluating  international  offices'  performance — October  2008,  p.  324 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental  Relations  improve  the  processes  management 
uses  to  evaluate  the  performance  of  each  international  office. 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Ensuring  effective  information-system  controls — October  2008,  p.  326 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental  Relations  obtain  assurance  that  information- 
system  controls  are  effective  at  the  international  offices  and  that  relevant  Government  of  Alberta  IT  policies  and 
standards  are  being  met. 

Justice  and  Attorney  General 
Department 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Access  controls — October  2009,  p.  295 

We  recommend  that  the  Department  of  Justice  obtain  assurance  that  organizations  provided  access  to  the  Justice 
On-line  Information  Network  are  following  the  Department's  policies  and  procedures  for  granting  user  access. 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Motor  vehicle  accident  program — Clarifying  collection  steps — October  2009,  #33,  p.  293 

We  recommend  that  the  Department  of  Justice  clarify  the  collection  steps  for  judgments  assigned  to  it  under  the  Motor 
Vehicle  Accident  program. 

Municipal  Affairs 
Department 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Disaster  Recovery  Program— October  2009,  #34,  p.  301 

We  recommend  that  the  Department  of  Municipal  Affairs  improve  its  management  of  the  disaster  recovery  program  by: 
setting  timelines  for  key  steps  that  must  be  performed  before  federal  government  funding  can  be  received 
periodically  assessing  and  adjusting  costs  and  recovery  estimates  based  on  current  information 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
ME  first!  Program— October  2008,  #37,  p.  335 

We  recommend  that  the  Department  of  Municipal  Affairs  assess  the  effect  on  greenhouse  gas  emissions  of  the  energy 
savings  that  resulted  from  the  projects  funded  by  the  Department's  ME  first!  Program  and  that  the  Department  report 
the  lessons  learned  from  this  program  to  the  Departments  involved  in  creating  climate  change  programs. 

Seniors  and  Community  Supports 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Seniors  Care:  Effectiveness  of  Seniors  Lodge  Program — October  2005,  #12,  p.  66 

We  recommend  that  the  Department  of  Seniors  and  Community  Supports: 

1 .  improve  the  measures  it  uses  to  assess  the  effectiveness  of  the  Seniors  Lodge  Program. 

2.  obtain  sufficient  information  periodically  to  set  the  minimum  disposable  income  of  seniors  used  as  a  basis  for 
seniors  lodge  rent  charges. 

Seniors  Care:  Determining  future  needs  for  Alberta  Seniors  Lodge  Program — October  2005,  p.  67 

We  recommend  that  the  Department  of  Seniors  and  Community  Supports  improve  its  processes  for  identifying  the 
increasing  care  needs  of  lodge  residents  and  consider  this  information  in  its  plans  for  the  Seniors  Lodge  Program. 

General  computer  controls— October  2007,  vol.  2,  p.  143 

We  recommend  that  the  Ministry  of  Seniors  and  Community  Supports  improve  general  computer  controls  by: 
identifying  and  protecting  data  based  on  its  sensitivity, 
following  change  management  procedures, 
reviewing  database  logs,  and 
reviewing  user  access  to  applications. 
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Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit 
Seniors  Care:  Compliance  with  Basic  Service  Standards— October  2005,  #6,  p.  58 

We  recommend  that  the  Department  of  Health  and  Wellness  and  the  Regional  Health  Authorities,  working  with  the 
Department  of  Seniors  and  Community  Supports,  improve  the  systems  for  monitoring  the  compliance  of  long-term  care 
facilities  with  the  Basic  Service  Standards. 

Persons  with  Developmental  Disabilities  Boards 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Contract  monitoring  and  evaluation — October  2004.  #9.  p.  111 

We  recommend  that  the  Persons  with  Developmental  Disabilities  Provincial  Board  work  with  the  six  Community  Boards 

to  strengthen  the  monitoring  and  evaluation  of  the  performance  of  service  providers  by: 
requiring  individual  funding  service  providers  to  provide  adequate  financial  reporting: 
obtaining  annual  financial  statements  to  evaluate  the  financial  sustainability  of  critical  service  providers: 
implementing  a  sustainable,  risk-based  internal  audit  plan; 

developing  and  implementing  standard  procedures  to  be  followed  when  Community  Board  staff  are  in  contact  with 
service  providers,  and 

implementing  a  method  to  evaluate  service  provider  performance. 

Service  Alberta 
Ministry  and  Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Contracting  policies  and  procedures — October  2004,  #20,  p.  177 

We  recommend  that  the  Alberta  Corporate  Service  Centre: 

develop  comprehensive  contracting  policies  and  procedures 
train  staff  on  how  to  follow  the  policies  and  procedures 
monitor  staff  compliance  with  the  policies  and  procedures 

IT  project  management— October  2006,  #22,  vol.  1,  p.  174 

We  recommend  that  the  Deputy  Minister  of  Restructuring  and  Government  Efficiency  provide  guidance  to  Deputy 
Ministers  and  their  Chief  Information  Officers  on  their  responsibilities  for  overseeing  information  technology  projects. 

IT  Service  level  agreements  between  Service  Alberta  and  its  client  ministries — October  2007,  #32,  vol.  2,  p.  146 

We  recommend  that  the  Ministry  of  Service  Alberta,  working  with  its  client  ministries,  revise  their  information  technology 
service  level  agreements  to: 

ensure  that  the  agreements  are  current 

clarify  the  level  of  services  provided  in  each  service  category 

define  the  roles  and  responsibilities  of  each  party 

Guidance  to  implement  IT  control  frameworks — April  2008,  #7,  p.  170 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  CIO  Council,  develop 
and  promote: 

a  comprehensive  IT  control  framework,  and  accompanying  implementation  guidance,  and 
well-designed  and  cost-effective  IT  control  processes  and  activities. 

Central  Security  Office— October  2008,  #4,  p.  532 

To  secure  the  Government  of  Alberta's  information,  we  recommend  that  Executive  Council  ensures  that  a  central 
security  office  is  immediately  established  to  oversee  (develop,  communicate,  implement,  monitor  and  enforce)  all 
aspects  of  information  security  for  organizations  using  the  government's  shared  information-technology  infrastructure. 

Physical  security— October  2008,  #8,  p.  87 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  the  Ministry  of  Infrastructure,  in  conjunction  with  all 
ministries  and  through  the  Chief  Information  Officer  (CIO)  Council,  to  improve: 
physical  security  controls  at  data  facilities. 

logging  of  access  to  data  facilities  by  implementing  effective  controls  to  track  access. 
Service  Alberta's  as  a  central  processor  of  transactions — October  2008,  #38,  p.  345 

We  recommend  that  the  Ministry  of  Service  Alberta  consider  providing  internal  control  assurance  to  its  client  ministries 
on  its  centralized  processing  of  transactions. 

Access-  and  security-monitoring  of  application  systems — October  2008,  p.  346 

We  recommend  that  the  Ministry  of  Service  Alberta  ensure  adequate  logging  and  monitoring  processes  are  in  place  in 
all  application  systems  that  host  or  support  financial  information  and  Albertans'  personal  information. 


2      Recommendation  originally  made  to  Executive  Council.  Both  entities  agreed  that  Service  Alberta  would  assume  responsibility  for  implementation 
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System-conversion  process — October  2008,  p.  349 

We  recommend  that  the  Ministry  of  Service  Alberta  document  its  review  of  actual  system-conversion  activities  to  ensure 
that  they  comply  with  the  approved  test  plan  for  system  conversion  and  data  migration. 

Information  technology  resumption  plan — October  2009,  #35,  p.  311 

We  recommend  that  the  Ministry  of  Service  Alberta  complete  and  test  an  information  technology  resumption  plan. 
Payroll  review  processes — October  2009,  p.  312 

We  recommend  that  the  Ministry  of  Service  Alberta  improve  its  process  to  provide  timely  supporting  documentation  on 
payroll  information  that  it  maintains  for  itself  and  its  client  ministries. 

Analyzing  land  titles  data — April  2010,  p.  110 

We  recommend  that  the  Department  of  Service  Alberta  improve  its  ability  to  detect  fraudulent  transactions  and  mitigate 
the  risk  of  property  fraud  by: 

conducting  regular  analysis  of  land  title  data  for  suspicious  transactions 

using  the  results  of  data  analysis  to  focus  investigations  and  prosecutions 

providing  information  about  suspicious  activities  to  Department  staff  to  assist  them  in  the  exercise  of  their  new 
legislative  authority 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Develop  standards  and  policies  to  ensure  web  applications  are  built  to  required  standards — 
October  2008,  #5,  p.  66 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief  Information 
Officer  (CIO)  Council,  develop  and  implement  well-designed  and  effective  controls  to  ensure  all  Government  of  Alberta 
web  applications  consistently  meet  all  security  standards  and  requirements. 

Review  and  improve  the  GoA's  shared  computing  infrastructure  policies,  procedures,  and  standards — 
October  2008,  #6,  p.  68 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  all  ministries  and  through  the  Chief  Information  Officer 
(CIO)  Council,  to  develop  and  implement  policies,  procedures,  standards,  and  well-designed  control  activities  for  the 
Government  of  Alberta's  shared  computing  network. 

Wireless  policies  and  standards — October  2008,  p.  75 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief  Information 
Officer  (CIO)  Council,  update  its  existing  Wireless  LAN  Access  Security  Policy  to  provide  clearer  guidance  to  Ministries 
in  deploying  and  securing  wireless-network-access  points. 

Device  configurations — October  2008,  p.  76 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief  Information 
Officer  (CIO)  Council,  review  the  configuration  of  laptops,  and  approve  policies  to  prevent  laptops  from  inadvertently 
exposing  the  government  environment. 

Ongoing  monitoring  and  surveillance — October  2008,  #7,  p.  77 

We  recommend  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief  Information 
Officer  (CIO)  Council,  update  network  surveillance  methods  to  detect  and  investigate  the  presence  of  unauthorized 
wireless  access  points  within  the  Government  of  Alberta. 

Backup  power  supplies — October  2008,  p.  85 

We  recommend  that  the  Ministry  of  Service  Alberta,  work  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  to  ensure  that  ministries  that  use  data  facilities  ensure  that  connected  computer 
equipment  has  a  sufficient  redundant  power  supply. 

Environmental  security — October  2008,  p.  89 

We  recommend  that  Ministry  of  Service  Alberta  work  with  ministries  to  improve  the  environmental  security  controls  at 
shared  data  facilities. 
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Solicitor  General  and  Public  Security 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits 
Follow-up  of  compliance  audit  report  recommendations — April  2010,  #15.  p.  120 

We  recommend  that  the  Department  of  Solicitor  General  and  Public  Security  improve  its  processes  to  monitor  and 
ensure  employers  implement  its  compliance  audit  recommendations  by: 

developing,  maintaining  and  monitoring  a  database  of  the  implementation  status  of  all  audit  recommendations 

requiring  timely  written  confirmation  of  compliance  from  employers 

ensuring  files  on  employers  are  properly  maintained 

taking  necessary  and  timely  action  against  non-compliant  employers 

Processes  to  conduct  compliance  audits — April  2010,  p.  122 

We  recommend  that  the  Department  of  Solicitor  General  and  Public  Security: 

use  a  risk-based  approach  in  future  audit  cycles  for  selecting  on-site  employer  compliance  audits 

better  document  compliance  audit  files,  including  documenting  audit  findings,  identifying  auditors  performing  the 

work  and  demonstrating  sufficient  oversight 

Monitoring  employers'  investigations  of  peace  officers — April  2010,  #16,  p.  125 

We  recommend  that  the  Department  of  Solicitor  General  and  Public  Security  improve  monitoring  of  employers' 
investigations  of  complaints  made  against  peace  officers  by: 

following  current  policy  and  best  practices,  including  managerial  approval  of  concluded  files,  and  implementing 

proper  filing  procedures 

providing  written  notification  to  an  employer  when  closing  a  file 
better  maintaining  its  databases 

Sustainable  Resource  Development 

Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Reforestation:  Monitoring  and  enforcement — October  2006,  #15,  vol.  1,  p.  122 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  strengthen  its  monitoring  of  reforestation 
activities  by: 

bringing  more  rigour  to  the  review  of  forestry  operator  plans 

making  its  field  inspection  program  more  effective 

promptly  identifying  and  correcting  non-compliance  with  legislation 

Leases  and  sales — October  2007,  vol.  2,  p.  161 

We  recommend  that  the  Department  develop  a  guideline  for  lease  and  sale  of  land  indicating  when  and  with  whom  to 
consult. 

Requests  for  proposals— October  2007,  #33,  vol.  2,  p.  163 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  evaluate  whether  government  objectives 
could  be  met  by  introducing  requests  for  proposals  from  all  interested  parties  whenever  an  entity  applies  to  put 
substantial  improvements  on  public  land. 

Controls  over  revenue— October  2008.  #39,  p.  355 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  put  processes  in  place  to  allow  significant 
revenues  currently  recorded  when  cash  is  received  to  be  recorded  when  revenue  is  due  to  the  Crown. 

Sand  and  Gravel:  Enforcement  of  reclamation  obligations — October  2008,  #40,  p.  360 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  improve  processes  for  inspecting 
aggregate  holdings  on  public  land  and  enforcing  land  reclamation  requirements. 

Sand  and  Gravel:  Flat  fee  security  deposit— October  2008,  #41,  p.  362 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  assess  the  sufficiency  of  security  deposits 
collected  under  agreements  to  complete  reclamation  requirements. 

Sand  and  Gravel:  Quantity  of  aggregate  removed— October  2008,  p.  364 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  develop  systems  to  verify  quantities  of 
aggregate  reported  as  removed  by  industry  from  public  lands  so  that  all  revenue  due  to  the  Crown  can  be  assessed 
and  recorded  in  the  financial  statements. 
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Sand  and  Gravel:  Information  management — October  2008,  p.  366 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  capture  and  consolidate  information 
throughout  the  life  of  an  aggregate  holding  and  use  it  to  test  compliance  with  legal  obligations. 

Reforestation:  Performance  information — April  2009,  #2,  p.  52 
(repeated  once  since  October  2006) 

We  again  recommend  that  the  Department  of  Sustainable  Resource  Development  publicly  report  relevant  and  sufficient 
reforestation  performance  information  to  confirm  the  effectiveness  of  its  regulatory  systems. 

IT  control  framework— October  2009,  p.  323 

We  recommend  the  Department  of  Sustainable  Resource  Development  improve  policies  and  processes  in  its 
information  technology  control  environment. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Contracting— October  2003,  p.  277 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  follow  the  government's  best  practice 
guidelines  for  contracted  services  and  grants  when  undertaking  major  capital  or  long-term  lease  projects. 

Reforestation:  Seed  inventory — October  2006,  vol.  1,  p.  129 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  improve  controls  over  the  seed  supply 
used  for  reforestation  by: 

strengthening  processes  to  ensure  that  the  integrity  of  the  seed  zone  is  maintained 

assessing  whether  seed  is  available  to  meet  reforestation  requirements. 

Land  sale  agreements — October  2007,  vol.  2,  p.  162 

We  recommend  that  the  Department  establish  a  guideline  to  not  sell  public  land  until  the  lessee  is  in  compliance  with 
key  lease  requirements. 

Project  management — October  2007,  vol.  2,  p.  165 

We  recommend  that  the  Department  show  clearly  throughout  a  project  that  repeated  contracting  with  the  same 
contractor  is  a  cost  effective  way  to  achieve  that  project's  desired  outcome. 

Natural  Resources  Conservation  Board 

Management  has  identified  this  recommendation  as  implemented — to  be  confirmed  with  a  follow-up  audit: 
Compliance  and  enforcement  (Confined  feeding  operations) — October  2007,  #34,  vol.  2,  p.  167 
(repeated  once  since  October  2004) 

We  again  recommend  that  the  Natural  Resources  Conservation  Board  rank  its  compliance  and  enforcement  activities 
based  on  risk.  To  do  so,  the  Board  must: 

define  through  research  the  environmental  risks  applicable  to  CFOs  and  their  impact 

categorize  CFOs  by  priority  levels  of  environmental  risk  at  different  locations 

conduct  appropriate  sampling  and  testing  to  confirm  the  validity  of  assigned  risk  levels 

select  and  deliver  appropriate  compliance  and  enforcement  action 

Tourism,  Parks  and  Recreation  and  Culture  and  Community  Spirit 

Ministry 

The  following  recommendation  is  outstanding  and  not  yet  ready  for  a  follow-up  audit: 
Computer  control  environment — October  2007,  vol.  2,  p.  172 

We  recommend  that  the  Ministry  of  Tourism,  Parks,  Recreation  and  Culture  work  with  Service  Alberta  to: 

document  the  services  that  Service  Alberta  is  to  provide  and  its  control  environment  for  information  technology 
implement  a  process  to  ensure  that  Service  Alberta  consistently  meets  service  level  and  security  requirements 
provide  evidence  that  control  activities  maintained  by  Service  Alberta  are  operating  effectively 

Transportation 
Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Commercial  vehicle  safety:  Inspection  tools  and  vehicle  selection — October  2009,  p.  124 

We  recommend  that  the  Department  of  Transportation  improve  its  inspection  capability  by  incorporating  risk  analysis 
into  the  selection  of  vehicles  for  roadside  inspection  and  increasing  the  amount  of  information  available  at  roadside. 

Commercial  vehicle  safety:  Progressive  sanctions — October  2009,  #14,  p.  127 

We  recommend  that  the  Department  of  Transportation  strengthen  enforcement  processes  relating  to,  or  arising  from, 
roadside  inspections. 
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Commercial  vehicle  safety:  Analysis  and  measurement — October  2009,  #15,  p.  129 

We  recommend  that  the  Department  of  Transportation  further  develop  and  improve  its  data  analysis  practices  for  use  in 
program  delivery  and  performance  measure  reporting. 

IT  risk  assessment— October  2009,  p.  329 

We  recommend  that  the  Department  of  Transportation  develop  and  implement  an  Information  Technology  risk 
assessment  framework 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits 
Commercial  and  motor  vehicle  inspection  programs— October  2004.  #29.  p.  301 

We  recommend  that  the  Ministry  of  Transportation  strengthen  its  monitoring  processes  for  Commercial  Vehicle 
Inspection  Program  and  Motor  Vehicle  Inspection  Program  by: 

documenting  policies,  procedures  and  management's  expectations  of  the  Vehicle  Safety  Investigators  to  ensure 

that  they  perform  their  functions  appropriately  and  consistently; 

developing  a  reporting  process  to  allow  senior  management  to  enhance  the  assessment  of  the  effectiveness  of  the 
programs. 

Licensing  inspection  facilities  and  technicians— October  2004,  #30,  p.  303 

We  recommend  that  the  Ministry  of  Transportation  improve  the  process  to  license  inspection  facilities  and  technicians. 

Treasury  Board 

Ministry  and  Department 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 

Infrastructure  needs:  Maintenance  and  life-cycle  costs — October  2007,  #2,  vol.  1,  p.  49 

We  recommend  that  the  Department  of  Treasury  Board,  in  consultation  with  departments,  develop  objectives,  timelines, 
and  targets  for  reducing  deferred  maintenance,  and  include  information  on  reducing  deferred  maintenance  in  the 
province's  Capital  Plan 

Infrastructure  needs:  Deferred  maintenance  and  life-cycle  costs — October  2007,  #3,  vol.  1,  p.  54 

We  recommend  that  the  Department  of  Treasury  Board: 

require  life-cycle  costing  information  for  proposed  infrastructure  projects,  and 

establish  a  process  to  ensure  public  infrastructure  assets  are  properly  maintained  over  their  life. 

Government  credit  cards — October  2007,  #17,  vol.  1,  p.  174 

We  recommend  that  the  Department  of  Treasury  Board,  working  with  all  other  Departments,  further  improve  controls  for 
the  use  of  government  credit  cards  by: 

1.  communicating  responsibilities  to  all  cardholders. 

2.  clarifying  the  support  required  to  confirm  both  the  nature  and  purpose  of  transactions. 

3.  providing  guidance  to  senior  financial  officers  and  accounting  staff  on  dealing  with  significant  non-compliance. 
Inconsistent  budgeting  and  accounting  for  grants — October  2007,  vol.  2,  p.  178 

We  recommend  that  the  Ministry  of  Treasury  Board,  working  with  other  departments,  provide  guidance  to  ensure 
consistent  accounting  treatment  of  grants  throughout  government. 

CEO  compensation  disclosure — October  2008.  #3,  p.  32 

We  recommend  that  the  Treasury  Board  consider  applying  the  new  private-sector  compensation-disclosure  requirement 
to  the  Alberta  public  sector 

Salary  and  benefits  disclosure — October  2008,  p.  371 

We  recommend  that  the  Ministry  of  Treasury  Board,  through  the  Salaries  and  Benefits  Disclosure  Directive,  clarify  what 
form  of  disclosure,  under  what  circumstances,  is  required  of  the  salary  and  benefits  of  an  individual  in  an  organization's 
senior  decision  making/management  group  who  is  compensated  directly  by  a  third  party. 

Report  on  selected  payments  to  MLAs — Content — October  2008,  p.  3753 

We  recommend  that  the  Department  of  Treasury  Board  reaffirm  what  should  be  contained  within  the  Report  of  Selected 
Payments  to  Members  and  Former  Members  of  the  Legislative  Assembly  and  Persons  Directly  Associated  with 
Members  of  the  Legislative  Assembly  to  ensure  it  continues  to  be  relevant 

Report  on  selected  payments  to  MLAs — Efficiency — October  2008,  p.  376 

We  recommend  that  the  Department  of  Treasury  Board  use  current  technology  to  regularly  and  efficiently  compile  the 
material  for  public  reporting. 


The  Ministry  of  Treasury  Board  has  informed  the  Office  of  the  Auditor  General  that  it  does  not  consider  itself  responsible  for 
implementing  this  recommendation. 
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Public  agencies:  Disclosure  of  termination  benefits  paid — October  2009,  #2,  p.  29 

We  recommend  that  the  Ministry  of  Treasury  Board  increase  transparency  of  termination  benefits  by  adopting 
disclosure  practices  for  Alberta  public  agencies  that  disclose  termination  benefits  paid. 

Government  of  Alberta  and  Ministry  Annual  Reports:  Analysis  and  review  of  performance  measures — 
October  2009,  #16,  p.  136 

We  recommend  the  Ministry  of  Treasury  Board  work  with  Ministries  to  improve  processes  at  the  ministry  level  relating  to 
analysis  and  review  of  performance  measures.  We  also  recommend  the  Ministry  of  Treasury  Board  establish  a  protocol 
with  ministries  whereby  it  is  informed  of  proposed  changes  by  ministries  to  performance  measures  methodology  in  a 
timely  manner. 

Management  has  identified  these  recommendations  as  implemented — to  be  confirmed  with  follow-up  audits: 
Infrastructure  needs:  Process  to  prioritize  projects — October  2007,  #4,  vol.  1,  p.  57 

We  recommend  that  the  Department  of  Treasury  Board  improve  the  process  to  evaluate  proposed  infrastructure 
projects  that  ministries  submit. 

Infrastructure  needs:  Improving  current  information — October  2007,  #5,  vol.  1,  p.  59 

We  recommend  that  the  Department  of  Treasury  Board,  working  with  the  Treasury  Capital  Planning  Committee, 
examine  how  the  current  information  provided  to  Treasury  Board  can  be  improved. 

Report  on  selected  payments  to  MLAs — Timely — October  2008,  p.  377 

We  recommend  that  the  President  of  Treasury  Board  arrange  for  all  final  reviews  of  the  Report  to  take  place  within  six 
months  of  the  year  end  so  that  the  Report  can  be  ready  for  tabling  in  the  Legislative  Assembly. 

The  Departments  of  Treasury  Board  and  Infrastructure 

The  following  recommendations  are  outstanding  and  not  yet  ready  for  follow-up  audits: 
Challenging  and  supporting  assumptions — April  2010,  #1,  p.  22 

We  recommend  that  the  Departments  of  Treasury  Board  and  Infrastructure  improve  processes,  including  sensitivity 
analysis,  to  challenge  and  support  maintenance  costs  and  risk  valuations. 

Transparency— April  2010,  #2,  p.  24 

We  recommend  that  the  Departments  of  Treasury  Board  and  Infrastructure  follow  their  own  guidance  to  publish  a  Value 
for  Money  Report  upon  entering  into  a  Public  Private  Partnership  (P3)  agreement. 
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Report  of  the  Auditor  General  of  Alberta — October  2010 


Glossary 


This  glossary  explains  key  accounting  terms  and  concepts  in  this  report 

Accountability  Responsibility  for  the  consequences  of  actions.  In  this  report,  accountability  requires  ministries, 

departments  and  other  entities  to: 

report  their  results  (what  they  spent  and  what  they  achieved)  and  compare  them  to  their  goals 
explain  any  differences  between  their  goals  and  results 

Government  accountability  allows  Albertans  to  decide  whether  the  government  is  doing  a  good  job 
They  can  compare  the  costs  and  benefits  of  government  action:  what  it  spends,  what  it  tries  to  do 
(goals),  and  what  it  actually  does  (results). 

Accrual  basis  of  A  way  of  recording  financial  transactions  that  puts  revenues  and  expenses  in  the  period  when  they 
accounting  are  earned  and  incurred. 


Adverse  auditor's 
opinion 


An  auditor's  opinion  that  financial  statements  are  not  presented  fairly  and  are  not  reliable. 


Assurance 


An  auditor's  written  conclusion  about  something  audited.  Absolute  assurance  is  impossible  because 
of  several  factors,  including  the  nature  of  judgment  and  testing,  the  inherent  limitations  of  control, 
and  the  fact  that  much  of  the  evidence  available  to  an  auditor  is  only  persuasive,  not  conclusive 


Attest  work,  attest 
audit 


Work  an  auditor  does  to  express  an  opinion  on  the  reliability  of  financial  statements. 


Audit 


An  auditor's  examination  and  verification  of  evidence  to  determine  the  reliability  of  financial 
information,  to  evaluate  compliance  with  laws,  or  to  report  on  the  adequacy  of  management 
systems,  controls  and  practices. 


Auditor 

Auditor's  opinion 
Auditor's  report 
Business  cases 


A  person  who  examines  systems  and  financial  information. 

An  auditor's  written  opinion  on  whether  things  audited  meet  the  criteria  that  apply  to  them. 
An  auditor's  written  communication  on  the  results  of  an  audit. 

An  assessment  of  a  project's  financial,  social  and  economic  impacts.  A  business  case  is  a  proposal 
that  analyses  the  costs,  benefits  and  risks  associated  with  the  proposed  investment,  including 
reasonable  alternatives.  The  province  has  issued  business  case  usage  guidelines  and  a  business 
case  template  that  the  Department  can  refer  to  in  establishing  its  business  case  policy. 


Capital  asset  A  long-term  asset. 

COBIT  Abbreviation  for  "Control  Objectives  for  Information  and  Related  Technology."  COBIT  was 

developed  by  the  Information  Systems  Audit  and  Control  Foundation  and  the  IT  Governance 
Institute.  COBIT  provides  good  practices  for  managing  IT  processes  to  meet  the  needs  of  enterprise 
management.  It  bridges  the  gaps  between  business  risks,  technical  issues,  control  needs,  and 
performance  measurement  requirements. 

Criteria  Reasonable  and  attainable  standards  of  performance  that  auditors  use  to  assess  systems. 

Cross-ministry         The  section  of  this  report  covering  systems  and  problems  that  affect  several  ministries  or  the  whole 
government. 

Crown  The  Government  of  Alberta. 


Deferred 
contributions 


See  "Restricted  contributions". 
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Deferred 
maintenance 

ERP 


Exception 

Expense 

IFRS 

gaap 


Any  maintenance  work  not  performed  when  it  should  be.  Maintenance  work  should  be  performed 
when  necessary  to  ensure  capital  assets  provide  acceptable  service  over  their  expected  lives. 

Abbreviation  for  Enterprise  Resource  Planning.  ERPs  integrate  and  automate  all  data  and 
processes  of  an  organization  into  one  comprehensive  system.  A  typical  ERP  has  multiple  modules 
within  a  computer  software  application,  standardized  hardware,  and  a  centralized  database  used 
by  all  modules  to  achieve  this  integration.  Although  an  ERP  can  be  as  small  as  an  accounting 
and  payroll  application,  the  term  ERP  is  usually  associated  with  larger  systems  that  perform  many 
functions  within  an  organization.  Examples  of  modules  in  an  ERP,  which  formerly  would  have  been 
stand-alone  applications,  include:  Financials  (General  Ledger,  Accounts  Payable,  and  Accounts 
Receivable),  Payroll,  Human  Resources,  Purchasing  and  Supply  Chain,  Project  Management, 
Asset  Management,  Student  Administration  Systems  and  Decision  Support  Systems.  Some  of  the 
more  common  ERPs  are  PeopleSoft,  SAP,  Great  Plains,  and  Oracle  Applications. 

Something  that  does  not  meet  the  criteria  it  should  meet — see  'Auditor's  opinion." 

The  cost  of  a  thing  over  a  specific  time. 

International  Financial  Reporting  Standards  (IFRS)  are  global  accounting  standards,  adopted  by  the 
Accounting  Standards  Board  of  the  Canadian  Institute  of  Chartered  Accountants.  They  are  required 
for  government  business  enterprises  for  fiscal  years  beginning  on  or  after  January  1 ,  2011 . 

Abbreviation  for  "generally  accepted  accounting  principles,"  which  are  established  by  the  Canadian 
Institute  of  Chartered  Accountants. 


Governance  A  process  and  structure  that  brings  together  capable  people  and  relevant  information  to  achieve 

goals.  Governance  defines  an  organization's  accountability  systems  and  ensures  the  effective  use 
of  public  resources. 

Internal  audit  A  group  of  auditors  within  a  ministry  (or  an  organization)  that  assesses  and  reports  on  the  adequacy 

of  the  ministry's  internal  controls.  The  group  reports  its  findings  directly  to  the  deputy  minister. 
Internal  auditors  need  an  unrestricted  scope  to  examine  business  strategies;  internal  control 
systems;  compliance  with  policies,  procedures,  and  legislation;  economical  and  efficient  use  of 
resources;  and  the  effectiveness  of  operations. 

Internal  control         A  system  designed  to  provide  reasonable  assurance  that  an  organization  will  achieve  its  goals. 

Management  is  responsible  for  an  effective  internal  control  system  in  an  organization,  and  the 
organization's  governing  body  should  ensure  that  the  control  system  operates  as  intended.  A 
control  system  is  effective  when  the  governing  body  and  management  have  reasonable  assurance 
that: 

they  understand  the  effectiveness  and  efficiency  of  operations 
internal  and  external  reporting  is  reliable 

the  organization  is  complying  with  laws,  regulations,  and  internal  policies 

Management  letter     Our  letter  to  the  management  of  an  entity  that  we  have  audited.  In  the  letter,  we  explain: 

1 .  our  work 

2.  our  findings 

3.  our  recommendation  of  what  the  entity  should  improve 

4.  the  risks  if  the  entity  does  not  implement  the  recommendation 

We  also  ask  the  entity  to  explain  specifically  how  and  when  it  will  implement  the  recommendation. 
Material,  materiality   Something  important  to  decision-makers. 

Misstatement  A  misrepresentation  of  financial  information  due  to  mistake,  fraud,  or  other  irregularities. 

Outcomes  The  results  an  organization  tries  to  achieve  based  on  its  goals. 


Outputs 


The  goods  and  services  an  organization  actually  delivers  to  achieve  outcomes.  They  show  "how 
much"  or  "how  many." 
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Performance  Indicator  of  progress  in  achieving  a  goal 
measure 

Performance  Reporting  on  financial  and  non-financial  performance  compared  to  plans 
reporting 

Performance  target  The  expected  result  for  a  performance  measure. 

Qualified  auditor's  An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them,  except  for  one  or  more 

opinion  specific  areas — which  cause  the  qualification. 

Recommendation  A  solution  we — the  Office  of  the  Auditor  General  of  Alberta — propose  to  improve  the  use  of  public 
resources  or  to  improve  performance  reporting  to  Albertans. 

Restricted  Restricted  contributions  are  monetary  receipts  or  gifts-in-kind  provided  with  stipulations  specified 

contributions  by  the  donor  or  grantor  on  how  those  resources  are  to  be  used  by  the  recipient  organization. 

Generally  accepted  accounting  principles  for  not-for-profit  organizations  require  externally  restricted 
contributions  to  be  accounted  for  by  including  the  value  of  contributions  in  revenue  only  after  the 
stipulations  are  met.  This  results  in  "deferred  contributions''  on  the  balance  sheet.  These  deferred 
contributions  represent  the  value  of  contributions  received  but  for  which  the  stipulations  have  not 
yet  been  met  by  the  recipient  organization.  Alternatively,  generally  accepted  accounting  principles 
allow  restricted  contributions  to  be  recognized  in  revenue  when  received  if  they  are  separately 
classified  by  the  nature  of  their  restrictions  on  the  face  of  the  financial  statements.  These  two 
accounting  methods,  known  as  the  deferral  method  and  restricted  fund  method,  are  thought  to 
provide  useful  information  to  readers  of  the  financial  statements  about  how  management  has  used 
resources  provided  to  them  and  whether  or  not  they  have  complied  with  stipulations  imposed  by 
donors. 


Review 


Reviews  are  different  from  audits  in  that  the  scope  of  a  review  is  less  than  that  of  an  audit 
and  therefore  the  level  of  assurance  is  lower.  A  review  consists  primarily  of  enquiry,  analytical 
procedures  and  discussion  related  to  information  supplied  to  the  reviewer  with  the  objective  of 
assessing  whether  the  information  being  reported  on  is  plausible  in  relation  to  the  criteria. 


Risk 

Risk  management 
Sample 


Anything  that  impairs  an  organization's  ability  to  achieve  its  goals. 
Identifying  and  then  minimizing  or  eliminating  risk  and  its  effects. 

A  sample  is  a  portion  of  a  population.  We  use  sampling  to  select  items  from  a  population.  We 
perform  audit  tests  on  the  sample  items  to  obtain  evidence  and  form  a  conclusion  about  the 
population  as  a  whole.  We  use  either  statistical  or  judgmental  selection  of  sample  items,  and  we 
base  our  sample  size,  sample  selection,  and  evaluation  of  sample  results,  on  our  judgment  of  risk, 
the  nature  of  the  items  in  the  population,  and  the  specific  audit  objectives  for  which  sampling  is 
being  used. 


Standards  for  Systems  audits  are  conducted  in  accordance  with  the  assurance  and  value-for-money  auditing 

systems  audits  standards  established  by  the  Canadian  Institute  of  Chartered  Accountants. 

Systems  A  set  of  interrelated  management  control  processes  designed  to  achieve  goals  economically  and 

(management)  efficiently. 


Systems  A  set  of  interrelated  accounting  control  processes  for  revenue,  spending,  the  preservation  or  use  of 

(accounting)  assets,  and  the  determination  of  liabilities. 
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Systems  audit  To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements  to  systems 

designed  to  ensure  value  for  money. 

Paragraphs  (d)  and  (e)  of  subsection  19(2)  of  the  Auditor  General  Act  require  us  to  report  every 

case  in  which  we  observe  that: 

an  accounting  system  or  management  control  system,  including  those  designed  to  ensure 
economy  and  efficiency,  was  not  in  existence,  or  was  inadequate  or  not  complied  with,  or 
appropriate  and  reasonable  procedures  to  measure  and  report  on  the  effectiveness  of  programs 
were  not  established  or  complied  with. 

To  meet  this  requirement,  we  do  systems  audits.  Systems  audits  are  conducted  in  accordance  with 
the  auditing  standards  established  by  the  Canadian  Institute  of  Chartered  Accountants. 

First,  we  develop  criteria  (the  standards)  that  a  system  or  procedure  should  meet.  We  always 
discuss  our  proposed  criteria  with  management  and  try  to  gain  their  agreement  to  them.  Then 
we  do  our  work  to  gather  audit  evidence.  Next,  we  match  our  evidence  to  the  criteria.  If  the  audit 
evidence  matches  all  the  criteria,  we  conclude  the  system  or  procedure  is  operating  properly.  But 
if  the  evidence  doesn't  match  all  the  criteria,  we  have  an  audit  finding  that  leads  us  to  recommend 
what  the  ministry  must  do  to  ensure  that  the  system  or  procedure  will  meet  all  the  criteria.  For 
example,  if  we  have  five  criteria  and  a  system  meets  three  of  them,  the  two  unmet  criteria  lead  to 
the  recommendation. 

A  systems  audit  should  not  be  confused  with  assessing  systems  with  a  view  to  relying  on  them  in 
an  audit  of  financial  statements. 


Unqualified 
auditor's  opinion 


An  auditor's  opinion  that  information  audited  meet  the  criteria  that  apply  to  them. 


Unqualified  review 
engagement  report 


Although  sufficient  audit  evidence  has  not  been  obtained  to  enable  us  to  express  an  auditor's 
opinion,  nothing  has  come  to  our  attention  that  causes  us  to  believe  that  the  information  being 
reported  on  is  not,  in  all  material  respects,  in  accordance  with  appropriate  criteria. 


Value  for  money 


The  concept  underlying  a  systems  audit  is  value  for  money.  It  is  the  "bottom  line"  for  the  public 
sector,  analogous  to  profit  in  the  private  sector.  The  greater  the  value  added  by  a  government 
program,  the  more  effective  it  is.  The  fewer  resources  that  are  used  to  create  that  value,  the  more 
economical  or  efficient  the  program  is.  "Value"  in  this  context  means  the  impact  that  the  program  is 
intended  to  achieve  or  promote  on  conditions  such  as  public  health,  highway  safety,  crime,  or  farm 
incomes.  To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements  to 
systems  designed  to  ensure  value  for  money. 


Other  resources 

The  Canadian  Institute  of  Chartered  Accountants  (cica)  produces  a  useful  book  called,  Terminology  for  Accountants.  They 
can  be  contacted  at  cica,  277  Wellington  Street  West,  Toronto,  Ontario,  Canada  M5V  3H2  or  www.cica.ca. 
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